All Apps and Add-ons

Splunk for Exchange Field Extractions

lhollada0
Engager

Hello, I'm having some issues getting field extractions to work correctly. I've deployed the "TA-Windows-2008R2-Exchange-IIS" app to my CAS server, using the Universal Forwarder. I have the props.conf and transforms.conf in the same directory as the inputs.conf. But when I search the IIS logs on my search head, the fields defined in transforms.conf are not present.

I'm sure I'm missing something here regarding the different between search-time and index-time field extractions, and the inability of the forwarder to parse data. Any help would be appreciated.

0 Karma
1 Solution

ahall_splunk
Splunk Employee
Splunk Employee

The field extraction definitions are held in both the TA (as globally accessible extractions) and Splunk_for_Exchange (as local extractions). As such, if you have only installed Splunk_for_Exchange on your indexer/search head, then you will only see the extractions within the Splunk_for_Exchange app. There is a search bar in the overview screen of the Splunk_for_Exchange app that will allow you to view the extractions.

View solution in original post

ahall_splunk
Splunk Employee
Splunk Employee

The field extraction definitions are held in both the TA (as globally accessible extractions) and Splunk_for_Exchange (as local extractions). As such, if you have only installed Splunk_for_Exchange on your indexer/search head, then you will only see the extractions within the Splunk_for_Exchange app. There is a search bar in the overview screen of the Splunk_for_Exchange app that will allow you to view the extractions.

lhollada0
Engager

Thanks for the clarification. Another thing I needed to do was to modify props.conf because I am already indexing the IIS logs under a different sourcetype. Looks good now.

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...