Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

props.conf $ bad character - Help Wanted

jrialto
New Member
‎12-14-2012 06:56 AM

Hi all

Hope you can help!

There is data in our Oracle audit file that we want to add to Fields. It has a Dollar sign, half way through, and it is giving me a bad character error. Here's an example of what is in the aud files:

OS$USERID: [5] "FREDYF"

Any thoughts on what I can do to make an exception and add this as a field?

I entered the following in props.conf.

[source::....aud]

EXTRACT-osuserid = OS$USERID:(?[[0-9]+] "[^"]+")

Tags (1)
0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎12-14-2012 07:26 AM

Per the documentation, the following is what is allowed:

Valid characters for field names are a-z, A-Z, 0-9, or _.
Field names cannot begin with 0-9 or _ .
Leading underscores are reserved for Splunk's internal variables.
International characters are not allowed.

In your extract, you will want to do this: EXTRACT-osuserid = OS$USERID:(?<os_userid>[[0-9]+] "[^"]+")

This creates a field "os_userid" which conforms to the standard.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Createandmaintainsearch-timefieldextractio...

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...