Solved: props.conf field extraction

nikkkc · ‎07-28-2016

Hi,
i try to extract a field in props.conf on search head/indexer. Data comes from UF.

props.conf
[mysyslog]
EXTRACT-level = "var/log/remote/smg/mail\d+/\w+/(?[^/]*)/" in source

source: /var/log/remote/smg/mail01/mail/info/xxxxx.log

the regex work´s in search:
....| rex field=source "var/log/remote/smg/mail\d+/\w+/(?[^/]*)/"

but not in props.conf??
Why? i tried with quotes and without quotes....

twinspop · ‎07-28-2016

Removed: Wrong headed answer about EXTRACT vs REPORT

This was likely the cause of your problems: No quotes around the regex, in either case.

My recommendation:

props.conf:

[mysyslog]
REPORT-level = extract_level

transforms.conf

[extract_level]
SOURCE_KEY = source
REGEX = var/log/remote/smg/mail\d+/\w+/([^/]*)/
FORMAT = mylevel::$1

View solution in original post

twinspop · ‎07-28-2016

Removed: Wrong headed answer about EXTRACT vs REPORT

This was likely the cause of your problems: No quotes around the regex, in either case.

My recommendation:

props.conf:

[mysyslog]
REPORT-level = extract_level

transforms.conf

[extract_level]
SOURCE_KEY = source
REGEX = var/log/remote/smg/mail\d+/\w+/([^/]*)/
FORMAT = mylevel::$1

nikkkc · ‎07-28-2016

...i do not want to waste more time for this, does it make a differnece to use the rex in search query or to define in props and transforms conf?? because it work´s in search query

nikkkc · ‎07-28-2016

first i want to say thank you.
still one question: i do not need to specify the field in regex? like ?<mylevel>
OK, if i specify the field then i do not need the line: FORMAT = mylevel
right?

Anyway, i did a | extract reload=t
but still no new filed in my search gui

nikkkc · ‎07-29-2016

after restart splunk it works.

pradeepkumarg · ‎07-28-2016

EXTRACT is not index time field extractions. Check below from props.conf documentation

Use the TRANSFORMS field extraction type to create index-time field
extractions. Use the REPORT or EXTRACT field extraction types to create
search-time field extractions.

ddrillic · ‎07-28-2016

We learned in class the following -

Use extraction directives, EXTRACT and REPORT in props.conf

EXTARCT (inline extraction) is defined in props.conf as standalone
REPORT (field transform) is defined in transform.conf and invoked from props.conf

twinspop · ‎07-28-2016

Ah crap, you're right. Too early in the morning. 🙂

nikkkc · ‎07-28-2016

xxs Security deletes some characters...

Hi,
i try to extract a field in props.conf on search head/indexer. Data comes from UF.

props.conf
[mysyslog]
EXTRACT-level = "var/log/remote/smg/mail\d+/\w+/(?<level>[^/]*)/" in source

source: /var/log/remote/smg/mail01/mail/info/xxxxx.log

the regex work´s in search:
....| rex field=source "var/log/remote/smg/mail\d+/\w+/(?<level>[^/]*)/"

but not in props.conf??
Why? i tried with quotes and without quotes....

pradeepkumarg · ‎07-28-2016

You definitely don't need quotes. verify your updated props.conf is on your intended search head. you can also check this with the btool command

./splunk cmd btool props list

props.conf field extraction

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

props.conf field extraction

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem