props.conf $ bad character - Help Wanted

jrialto · ‎12-14-2012

Hi all

Hope you can help!

There is data in our Oracle audit file that we want to add to Fields. It has a Dollar sign, half way through, and it is giving me a bad character error. Here's an example of what is in the aud files:

OS$USERID: [5] "FREDYF"

Any thoughts on what I can do to make an exception and add this as a field?

I entered the following in props.conf.

[source::....aud]

EXTRACT-osuserid = OS$USERID:(?[[0-9]+] "[^"]+")

alacercogitatus · ‎12-14-2012

Per the documentation, the following is what is allowed:

Valid characters for field names are a-z, A-Z, 0-9, or _. Field names cannot begin with 0-9 or _ . Leading underscores are reserved for Splunk's internal variables. International characters are not allowed.

In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+")

This creates a field "os_userid" which conforms to the standard.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractio...

props.conf $ bad character - Help Wanted

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation

props.conf $ bad character - Help Wanted

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability