Re: props.conf $ bad character - Help Wanted

jrialto · ‎12-14-2012

Hi all

Hope you can help!

There is data in our Oracle audit file that we want to add to Fields. It has a Dollar sign, half way through, and it is giving me a bad character error. Here's an example of what is in the aud files:

OS$USERID: [5] "FREDYF"

Any thoughts on what I can do to make an exception and add this as a field?

I entered the following in props.conf.

[source::....aud]

EXTRACT-osuserid = OS$USERID:(?[[0-9]+] "[^"]+")

alacercogitatus · ‎12-14-2012

Per the documentation, the following is what is allowed:

Valid characters for field names are a-z, A-Z, 0-9, or _. Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables. International characters are not allowed.

In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+")

This creates a field "os_userid" which conforms to the standard.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractio...

props.conf $ bad character - Help Wanted

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

props.conf $ bad character - Help Wanted

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience