Hello,

I am going bananas trying to figure out the error in my props.conf. All of my logs are collected using Splunk Enterprise and forwarded to a centralized server that I do not have CLI access to. I do all of my main configuration from the source host command line and forward the data to the centralized server. I need to extract a field called "microservice" from my source path. I have tested my regular expression in search with the following statement and it works.

host=myhostname sourcetype=log4j | rex field=source "^\/opt\/apps\/myapp\/microServices\/(?<microservice>\w+)\/.*"

Example path:
/opt/apps/myapp/microServices/neededDirectoryName/Logs/mylog_log.log

There are many directories that I am collecting logs from that are the same sourcetype: log4j. I am also only indexing error logs from this sourcetype as well, that is what the TRANSFORMS is for. I'll include my transform.conf for reference. I have other regular expressions extracting fields from the log events on Splunk web (on the centralized server).

props.conf:

[log4j]
EXTRACT-mspls = ^\/opt\/apps\/myapp\/microServices\/(?<microservice>\w+)\/.* in source
TRANSFORMS-set = nullqueue, errorlogs

transforms.conf:

[nullqueue]
REGEX= .
DEST_KEY = queue
FORMAT = nullQueue

[errorlogs]
REGEX = ^(\[ERROR\]|\[WARN\]|\[MANDATORY\])
DEST_KEY = queue
FORMAT = indexQueue

Thank you!!