Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extractions are not coming up on splunk.

joydeep741
Path Finder
‎10-26-2016 06:54 AM

My field extractions are not coming up on splunk.
- i added the extractions in props.conf (tested them b4 adding).
- made a metadata folder and added a file local.meta and added the following lines :-
[default]
export = system
access = read : [ * ], write : [ admin ]

Any idea, what am i missing ?

0 Karma
Reply

somesoni2
Revered Legend
‎10-26-2016 08:56 AM

There is no [default] stanza in local.meta. You'd have to you'd have to create a metadata entry for each EXTRACT/REPORT configuration in your props.conf. Do a restart afterwards.

0 Karma
Reply

ktugwell_splunk
Splunk Employee
Splunk Employee
‎10-26-2016 09:00 AM

Ah, yes.

You could try:

[]
export = system

Will make all objects global

0 Karma
Reply

ktugwell_splunk
Splunk Employee
Splunk Employee
‎10-26-2016 07:29 AM

Did you restart Splunk?

The props.conf and local.meta. Are they the correct file permissions, i.e can the user Splunk is running as read them?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎10-26-2016 06:57 AM

I'm sure you know this, but make sure you're not searching in Fast mode.. Second, I would first try doing search time extractions to verify it's capturing 100% of your fields. Then when your confident in your regex, put it in props.conf

0 Karma
Reply

joydeep741
Path Finder
‎10-26-2016 07:21 AM
  • tested my regex by using it in the search query.
  • I am using verbose mode.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...