Knowledge Management

props.conf field extraction

nikkkc
Path Finder

Hi,
i try to extract a field in props.conf on search head/indexer. Data comes from UF.

props.conf
[mysyslog]
EXTRACT-level = "var/log/remote/smg/mail\d+/\w+/(?[^/]*)/" in source

source: /var/log/remote/smg/mail01/mail/info/xxxxx.log

the regex work´s in search:
....| rex field=source "var/log/remote/smg/mail\d+/\w+/(?[^/]*)/"

but not in props.conf??
Why? i tried with quotes and without quotes....

Tags (1)
0 Karma
1 Solution

twinspop
Influencer

Removed: Wrong headed answer about EXTRACT vs REPORT

This was likely the cause of your problems: No quotes around the regex, in either case.

My recommendation:

props.conf:

[mysyslog]
REPORT-level = extract_level

transforms.conf

[extract_level]
SOURCE_KEY = source
REGEX = var/log/remote/smg/mail\d+/\w+/([^/]*)/
FORMAT = mylevel::$1

View solution in original post

twinspop
Influencer

Removed: Wrong headed answer about EXTRACT vs REPORT

This was likely the cause of your problems: No quotes around the regex, in either case.

My recommendation:

props.conf:

[mysyslog]
REPORT-level = extract_level

transforms.conf

[extract_level]
SOURCE_KEY = source
REGEX = var/log/remote/smg/mail\d+/\w+/([^/]*)/
FORMAT = mylevel::$1

nikkkc
Path Finder

...i do not want to waste more time for this, does it make a differnece to use the rex in search query or to define in props and transforms conf?? because it work´s in search query

0 Karma

nikkkc
Path Finder

first i want to say thank you.
still one question: i do not need to specify the field in regex? like ?<mylevel>
OK, if i specify the field then i do not need the line: FORMAT = mylevel
right?

Anyway, i did a | extract reload=t
but still no new filed in my search gui

0 Karma

nikkkc
Path Finder

after restart splunk it works.

0 Karma

pradeepkumarg
Influencer

EXTRACT is not index time field extractions. Check below from props.conf documentation

Use the TRANSFORMS field extraction type to create index-time field
extractions. Use the REPORT or EXTRACT field extraction types to create
search-time field extractions.
0 Karma

ddrillic
Ultra Champion

We learned in class the following -

Use extraction directives, EXTRACT and REPORT in props.conf

EXTARCT (inline extraction) is defined in props.conf as standalone
REPORT (field transform) is defined in transform.conf and invoked from props.conf

0 Karma

twinspop
Influencer

Ah crap, you're right. Too early in the morning. 🙂

0 Karma

nikkkc
Path Finder
xxs Security deletes some characters...

Hi,
i try to extract a field in props.conf on search head/indexer. Data comes from UF.

props.conf
[mysyslog]
EXTRACT-level = "var/log/remote/smg/mail\d+/\w+/(?<level>[^/]*)/" in source

source: /var/log/remote/smg/mail01/mail/info/xxxxx.log

the regex work´s in search:
....| rex field=source "var/log/remote/smg/mail\d+/\w+/(?<level>[^/]*)/"

but not in props.conf??
Why? i tried with quotes and without quotes....
0 Karma

pradeepkumarg
Influencer

You definitely don't need quotes. verify your updated props.conf is on your intended search head. you can also check this with the btool command

./splunk cmd btool props list 

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...