Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Props.conf Extractions Not Applied to Saved Search (collect) Output in New Index

zksvc
Contributor
Friday

Hi All, 

i do create new index but the source data is from savedsearch let say i create savedsearch from index=ABC then the output i sent to index=BCD 

then in index=BCD have result _raw field from index=ABC, like this.
all the fields from index=ABC all is gone

zksvc_0-1758273812569.png

 

Then when i try to create regex using SPL query all fields was created

index=zake-alert sourcetype=alert:access 
| rex field=_raw "ComputerName:\s+\"?(?<ComputerName>[^\",\r\n]+)" 
| rex field=_raw "Locked Out User\s*ID:\s+\"?(?<LockedOutUserID>[^\",\r\n]+)" 
| rex field=_raw "User Full Name:\s+\"?(?<UserFullName>[^\"\r\n]*)" 
| rex field=_raw "Source of Lockout:\s+\"?(?<SourceOfLockout>[^\",\r\n]+)" 
| rex field=_raw "RecordNumber:\s+\"?(?<RecordNumber>\d+)" 
| rex field=_raw "Raw_Message:\s+\"?(?<Raw_Message>[^\r\n\"]+)" 
| eval mitre_tactic_id="TA0006", mitre_technique_id="T1110" 
| table _time ComputerName LockedOutUserID UserFullName SourceOfLockout RecordNumber Raw_Message mitre_tactic_id mitre_technique_id
zksvc_1-1758272268650.png

But when i set up using props.conf nothing happened... 

 

Can someone explain me this ? 

Labels (2)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
Friday

Hi @zksvc 

Please can you share your props.conf ? Have you configured the props to extract the fields from both the original sourcetype and collected sourcetype name?

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Friday

Hi @zksvc ,

let me understand: you copy a subset of data from index=ABC using the collect command, is this correct?

if this is your approach, check the sourcetype that you have in DEF index because, by default using collect command, Splunk assign a sourcetype called stash and not the original one.

If you want to use the original sourcetype also in the DEF index you have to pay twice the license.

Then about regexes, the collect command saves the fields you have in the scheduled search (can you share it?) and anyway it modifies the original raw events, so probably you should create new field extractions.

Maybe a better approach is to extract all the fields in the savedsearch and in the secondary index use the sourcetype=stash (to avoid to pay twice the license) and you already have the fields you need.

Ciao.

Giuseppe

0 Karma
Reply

zksvc
Contributor
Friday

Hi @gcusello 

I use adaptive response, and choose "Log Event" to send data from ABC to DEF

but i use this new sourcetype to regex it using props.conf 

zksvc_0-1758274003255.png

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Friday

Hi @zksvc ,

for my knowledge, using a new:sourcetype you pay license even if in an Adaptive Response.

Anyway, see the output of the Adaptive Response to see how the log is build, so you can check your regexes, probably they are different than the original logs.

Ciao.

Giuseppe

0 Karma
Reply

zksvc
Contributor
Friday

Hi @gcusello 

What do you mean license? that is different license like ingest size license ? 

Yes the log is different from the original one, but when i try to call it using regex SPL all is good. The trouble is when i try to parsing it using props.conf that is no impact

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
Friday

Hi @zksvc ,

about license, for my knowledge, if you save search results in an index using collect and using a sourcetypoe different than stash, you have to pay the license.

About regexes, I suppose that you created them using the events in the DEF index, what do you mean that you want to parse events using props.conf? all the field extraction, also the ones done by interface, are stored in props.conf.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...