Solved: Props.conf extractions

JoshuaJohn · ‎08-23-2016

Any reason why my statement for props.conf isn't showing up as an extracted field?

EXTRACT-kls_error = (?(kls_error_*)\w+)

When I use just the rex in a search it gets the exact info that I need but when I am trying to create an extracted field it cannot

diogofgm · ‎08-23-2016

I believe you are missing group name like MuS suggested. Try this

EXTRACT-kls_error = (?<kls_error>kls\_error\_[\w]+)

------------
Hope I was able to help you. If so, some karma would be appreciated.

diogofgm · ‎08-23-2016

I believe you are missing group name like MuS suggested. Try this

EXTRACT-kls_error = (?<kls_error>kls\_error\_[\w]+)

------------
Hope I was able to help you. If so, some karma would be appreciated.

skoelpin · ‎08-23-2016

@diogofgm is correct, you need to put <NAME> in your expression

For troubleshooting, you could try the extraction via rex in the search bar to test it and see if it works

... | rex (?<kls_error>kls\_error\_[\w]+)

MuS · ‎08-23-2016

Does it work if you run it in an ad-hoc search and is it just the format or are you missing a capturing group name?

Props.conf extractions