Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Props.conf EXTRACT stopped working after stanza change

Burritobizon
Engager
‎05-25-2018 02:01 AM

Hello!

This morning, i have changed the configuration of an inline extraction in props.conf.
The original Extraction (this worked):

[source::///var/log/containers/*.log]
EXTRACT-sourcedata = (?<containers>(?<=containers\/).*?(?=_)).(?<namespace>.*(?=_)).(?<service>.*(?=-)) in source

I then changed the extraction to this:

[docker_json]
EXTRACT-sourcedata = (?<containers>(?<=containers\/).*?(?=_)).(?<namespace>.*(?=_)).(?<service>.*(?=-)) in source

because the inputs.conf file defines the sourcetype as follows ...

[monitor:///var/log/containers/*.log]
sourcetype = docker_json
disabled = 0

..., this should work.
however, the change did not work. I proceeded to undo said change, yet the old extraction stopped working as well.

Why is that? Does it take time for splunk to apply inline extractions?

0 Karma
Reply

Burritobizon
Engager
‎05-25-2018 02:33 AM

I have found the answer as to why the old extraction didn't work:

despite that inputs.conf defines the input as follows:

[monitor:///var/log/containers/*.log]

the stanza in props.conf has to be as follows:

[source::/var/log/containers/*.log]

I apologise for above error also being present in the working version above.
However, that does not explain why the new extraction (using the sourcetype) does not work.

0 Karma
Reply

FrankVl
Ultra Champion
‎05-25-2018 04:41 AM

At risk of stating the obvious, but:
- did you deploy the config in the right place (your search head(s))?
- you're not rewriting the sourcetype to something else at index time?
- no conflicting configs due to previous attempts? (e.g. check with btool)

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...