Getting Data In

props.conf $ bad character - Help Wanted

jrialto
New Member

Hi all

Hope you can help!

There is data in our Oracle audit file that we want to add to Fields. It has a Dollar sign, half way through, and it is giving me a bad character error. Here's an example of what is in the aud files:

OS$USERID: [5] "FREDYF"

Any thoughts on what I can do to make an exception and add this as a field?

I entered the following in props.conf.

[source::....aud]

EXTRACT-osuserid = OS$USERID:(?[[0-9]+] "[^"]+")

Tags (1)
0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Per the documentation, the following is what is allowed:

Valid characters for field names are a-z, A-Z, 0-9, or _.
Field names cannot begin with 0-9 or _ .
Leading underscores are reserved for Splunk's internal variables.
International characters are not allowed.

In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+")

This creates a field "os_userid" which conforms to the standard.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractio...

Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...