Getting Data In
Highlighted

Multiple fields extraction,m using props.conf

Explorer

Hi,

We have a search that extracts Customer and Country correctly

index=aaa host="Host1" sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w)\(?\w)" | table source,Customer,Country

source example = C:\DIR\CustomerX\CountryX\Web\log\2017-12-bbb.log

--

Now we want to use props.conf for extracting these 2 fields

When modifying the props.conf on the Splunk server (/opt/splunk/etc/system/local/props.conf)

[aaa_bbb]
EXTRACT-Customer,Country = C:\\DIR\(?\w)\(?\w) in source

After rebooting the server the fields are not there (we tried different options, none seem to work)

Please advise how we could extract these fields 'automatically' using props.conf

Thanks

/Edwin

Highlighted

Re: Multiple fields extraction,m using props.conf

Ultra Champion

Your not specifying the extracted field names

try:
EXTRACT-Customer,Country = C:\\\DIR\\(?<customer>\w*)\\(?<country>\w*) in source

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Explorer

Something went wrong with copying. my apologies
The normal search is working and get the source, Customer and County, but not through props.conf

So I had the below in props.conf, but it doesn't work

[aaa_bbb]
EXTRACT-Customer,Country = C:\\TEM\(?\w)\(?\w) in source

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Ultra Champion

oh wait ! i think there are too many \\'s

try
EXTRACT-Customer,Country = C:\\DIR\\(?<customer>\w*)\\(?<country>\w*) in source

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Explorer

still not working for me

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Ultra Champion

whats the stanza named?

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Ultra Champion

I just came across your other post.

Can you confirm this is exactly what you have?

[source::C:\Web\*\*\Web\log\mobile.log]
 EXTRACT-Customer_Country = C:\\Web\\(?<customer>\w*)\\(?<country>\w*) in source

 [source::C:\Web\*\*\Web\log\web.log]
 EXTRACT-Customer_Country = C:\\Web\\(?<customer>\w*)\\(?<country>\w*) in source

I say 'exactly', because although windows is not case sensitive, Splunk on windows is!

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Explorer

I have another post?

We also tried using the props.conf from the Splunk Forwarder (on the web server)

[source::C:\DIR......\Web\log*bbb.log]
EXTRACT-Customer,Country = C:\\DIR\(?\w)\(?\w) in source

--

The inputs.conf (on the web server) looks like this:

[monitor://C:\DIR**\Web\log*bbb.log]
disabled = 0
ignoreOlderThan = 3d
followTail = 0
sourcetype = aaa_bbb
crcSalt =
index = aaa

--

The props.conf file on the Splunk server

stanza = aaa_bbb (=sourcetype)

[aaa_bbb]
EXTRACT-Customer,Country = C:\DIR\(?\w)\(?\w) in source

tried with \\ and \

Using normal search with rex works fine

index=aaa sourcetype=aaa_bbb | rex field=source "C:\\DIR\(?\w)\(?\w)" | table source,Customer,Country

--

Unfortunately the props.conf doesn't work

We use Splunk 7.0.0 (Server and Forwarder)

the source = Log path is same for all Customers:
C:\DIR\Customer\Country\Web\log\2017-12-bbb-log

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Path Finder

Hi @edwinmae

PFA alt text
You can use this regex in props.conf file.

0 Karma
Highlighted

Re: Multiple fields extraction,m using props.conf

Explorer

I tried that as well, but it doesn't work

0 Karma