Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction with props.conf and transforms.conf

DrFedtke
Explorer
‎09-12-2015 06:13 AM

Hi all,

I tried to find a way to extract fields automatically after adding new data.

The input is of the type:

Log^key1=value1^key2=value2^key3=value3^

props.conf:

[LogType]
REPORT-LogType = LogTypeKV

transforms.conf:

[LogTypeKV]
FORMAT = $1::$2
REGEX = (\w+)=([^\^]+)

In the past it somehow worked, but now it doesn't. What am I missing?

Regards,
Caspar

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DrFedtke
Explorer
‎11-08-2015 11:22 AM

The problem were read and write permissions of the *.conf files under Windows.
I had to manually assign the right permission to get it working.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

DrFedtke
Explorer
‎11-08-2015 11:22 AM

The problem were read and write permissions of the *.conf files under Windows.
I had to manually assign the right permission to get it working.

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎09-28-2017 03:27 PM

@DrFedtke - Thank you for posting the solution. Since your issue appears to be solved, please accept the answer so that others will know the problem is complete.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎09-12-2015 09:03 AM

To my imperfect eyes, that looks like it should still work. So perhaps it's no longer being applied for some reason? I can think of two broad reasons: one is that the format of the events could have changed slightly so the regex doesn't apply, another is that for some reason the entire stanzas aren't applying because of a change in sourcetype, host IP or something like that.

So, first, if you have older data still around and properly parsed, compare the fields list for it (sourcetype, source, host, etc...) with some of the newer ones. If you can get it to a short timeframe where you only have a couple of entries, about half of which work and half of which don't, that would be perfect. Also compare the _raw entries closely and see if you can spot a change.

If that doesn't turn up anything interesting, try running ./splunk cmd btool props list and ./splunk cmd btool transforms list from your $splunkhome/bin directory to see what's there. You might need to redirect that output to a file so you can peruse it at your leisure. If you are on windows, you can pipe it to the clipboard ... | clip and paste it into Notepad++ or something, too. Here's some minor help on btool.

Report back with findings if that doesn't help you sort it out. You have already included the stanzas above (if they're complete), but if you could post an actual event from before the breakage and one from after, then maybe if appropriate some relevant btool output, we could lend some eyeballs to the problem better.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...