Field extractions are not coming up on splunk.

joydeep741 · ‎10-26-2016

My field extractions are not coming up on splunk.
- i added the extractions in props.conf (tested them b4 adding).
- made a metadata folder and added a file local.meta and added the following lines :-
[default]
export = system
access = read : [ * ], write : [ admin ]

Any idea, what am i missing ?

somesoni2 · ‎10-26-2016

There is no [default] stanza in local.meta. You'd have to you'd have to create a metadata entry for each EXTRACT/REPORT configuration in your props.conf. Do a restart afterwards.

ktugwell_splunk · ‎10-26-2016

Ah, yes.

You could try:

[]
export = system

Will make all objects global

ktugwell_splunk · ‎10-26-2016

Did you restart Splunk?

The props.conf and local.meta. Are they the correct file permissions, i.e can the user Splunk is running as read them?

skoelpin · ‎10-26-2016

I'm sure you know this, but make sure you're not searching in Fast mode.. Second, I would first try doing search time extractions to verify it's capturing 100% of your fields. Then when your confident in your regex, put it in props.conf

joydeep741 · ‎10-26-2016

tested my regex by using it in the search query.
I am using verbose mode.

Field extractions are not coming up on splunk.

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!