Hi,
We have a search that extracts Customer and Country correctly
index=aaa host="Host1" sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w*)\(?\w*)" | table source,Customer,Country
source example = C:\DIR\CustomerX\CountryX\Web\log\2017-12-bbb.log
--
Now we want to use props.conf for extracting these 2 fields
When modifying the props.conf on the Splunk server (/opt/splunk/etc/system/local/props.conf)
[aaa_bbb]
EXTRACT-Customer,Country = C:\\DIR\(?\w*)\(?\w*) in source
After rebooting the server the fields are not there (we tried different options, none seem to work)
Please advise how we could extract these fields 'automatically' using props.conf
Thanks
/Edwin
Hi @edwinmae,
I have tried with below configuration in props.conf in splunk 7.0.1
[custom_st]
EXTRACT-Country,Customer = C:\\DIR\\(?<Customer>\w*)\\(?<Country>\w*) in source
And it's working fine with sample data which you have provided, please find below screenshot in which Country and Customer field is extracted properly.
Hi @edwinmae,
I have tried with below configuration in props.conf in splunk 7.0.1
[custom_st]
EXTRACT-Country,Customer = C:\\DIR\\(?<Customer>\w*)\\(?<Country>\w*) in source
And it's working fine with sample data which you have provided, please find below screenshot in which Country and Customer field is extracted properly.
It worked 🙂
Hi @edwinmae
PFA
You can use this regex in props.conf file.
I tried that as well, but it doesn't work
Your not specifying the extracted field names
try:
EXTRACT-Customer,Country = C:\\\DIR\\(?<customer>\w*)\\(?<country>\w*) in source
Something went wrong with copying. my apologies
The normal search is working and get the source, Customer and County, but not through props.conf
So I had the below in props.conf, but it doesn't work
[aaa_bbb]
EXTRACT-Customer,Country = C:\\TEM\(?\w*)\(?\w*) in source
oh wait ! i think there are too many \\'s
try
EXTRACT-Customer,Country = C:\\DIR\\(?<customer>\w*)\\(?<country>\w*) in source
still not working for me
whats the stanza named?
I just came across your other post.
Can you confirm this is exactly what you have?
[source::C:\Web\*\*\Web\log\mobile.log]
EXTRACT-Customer_Country = C:\\Web\\(?<customer>\w*)\\(?<country>\w*) in source
[source::C:\Web\*\*\Web\log\web.log]
EXTRACT-Customer_Country = C:\\Web\\(?<customer>\w*)\\(?<country>\w*) in source
I say 'exactly', because although windows is not case sensitive, Splunk on windows is!
I have another post?
We also tried using the props.conf from the Splunk Forwarder (on the web server)
[source::C:\DIR......\Web\log*bbb.log]
EXTRACT-Customer,Country = C:\\DIR\(?\w*)\(?\w*) in source
--
The inputs.conf (on the web server) looks like this:
[monitor://C:\DIR**\Web\log*bbb.log]
disabled = 0
ignoreOlderThan = 3d
followTail = 0
sourcetype = aaa_bbb
crcSalt =
index = aaa
--
The props.conf file on the Splunk server
stanza = aaa_bbb (=sourcetype)
[aaa_bbb]
EXTRACT-Customer,Country = C:\DIR\(?\w*)\(?\w*) in source
Using normal search with rex works fine
index=aaa sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w*)\(?\w*)" | table source,Customer,Country
--
Unfortunately the props.conf doesn't work
We use Splunk 7.0.0 (Server and Forwarder)
the source = Log path is same for all Customers:
C:\DIR\Customer\Country\Web\log\2017-12-bbb-log