Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to EXTRACT regex expression in props.conf?

greggz
Communicator
‎02-07-2018 09:43 AM

I have this file with this appearance

first.prop.one=1
first.prop.two=2
first.prop.third=3

I was using KV_MODE=Auto, but I need more than 100 results. So I went to the HF, in the sourcetype definitions added

[sourcetype]
EXTRACT-Property=(?<Property>.+)=(?<Value>.+)

But nothing changed. Am I extracting correctly ?

thanks

0 Karma
Reply

micahkemp
Champion
‎02-07-2018 09:54 AM

EXTRACT and REPORT are search time objects, and need to be in place on the search head (not the forwarder).

I'd also suggest setting KV_MODE = none to avoid potential conflicts.

Reply

greggz
Communicator
‎02-07-2018 09:59 AM

Ohhh right. Anyway, is the regex correct ?

0 Karma
Reply

DUThibault
Contributor
‎02-07-2018 10:02 AM

It looks okay, but just to be sure I'd write it as (?<Property>[^=]+)=(?<Value>.+)

Reply
Get Updates on the Splunk Community!

Devesh Logendran, Splunk, and the Singapore Cyber Conquest

At this year’s Splunk University, I had the privilege of chatting with Devesh Logendran, one of the winners in ...

There's No Place Like Chrome and the Splunk Platform

WATCH NOW!Malware. Risky Extensions. Data Exfiltration. End-users are increasingly reliant on browsers to ...

Customer Experience | Join the Customer Advisory Board!

Are you ready to take your Splunk journey to the next level? &#x1f680; We invite you to join our elite squad ...