Solved: Re: props.conf field extraction

nikkkc · ‎07-28-2016

Hi,
i try to extract a field in props.conf on search head/indexer. Data comes from UF.

props.conf
[mysyslog]
EXTRACT-level = "var/log/remote/smg/mail\d+/\w+/(?[^/]*)/" in source

source: /var/log/remote/smg/mail01/mail/info/xxxxx.log

the regex work´s in search:
....| rex field=source "var/log/remote/smg/mail\d+/\w+/(?[^/]*)/"

but not in props.conf??
Why? i tried with quotes and without quotes....

twinspop · ‎07-28-2016

Removed: Wrong headed answer about EXTRACT vs REPORT

This was likely the cause of your problems: No quotes around the regex, in either case.

My recommendation:

props.conf:

[mysyslog]
REPORT-level = extract_level

transforms.conf

[extract_level]
SOURCE_KEY = source
REGEX = var/log/remote/smg/mail\d+/\w+/([^/]*)/
FORMAT = mylevel::$1

View solution in original post

twinspop · ‎07-28-2016

Removed: Wrong headed answer about EXTRACT vs REPORT

This was likely the cause of your problems: No quotes around the regex, in either case.

My recommendation:

props.conf:

[mysyslog]
REPORT-level = extract_level

transforms.conf

[extract_level]
SOURCE_KEY = source
REGEX = var/log/remote/smg/mail\d+/\w+/([^/]*)/
FORMAT = mylevel::$1

nikkkc · ‎07-28-2016

...i do not want to waste more time for this, does it make a differnece to use the rex in search query or to define in props and transforms conf?? because it work´s in search query

nikkkc · ‎07-28-2016

first i want to say thank you.
still one question: i do not need to specify the field in regex? like ?<mylevel>
OK, if i specify the field then i do not need the line: FORMAT = mylevel
right?

Anyway, i did a | extract reload=t
but still no new filed in my search gui

nikkkc · ‎07-29-2016

after restart splunk it works.

pradeepkumarg · ‎07-28-2016

EXTRACT is not index time field extractions. Check below from props.conf documentation

Use the TRANSFORMS field extraction type to create index-time field
extractions. Use the REPORT or EXTRACT field extraction types to create
search-time field extractions.

ddrillic · ‎07-28-2016

We learned in class the following -

Use extraction directives, EXTRACT and REPORT in props.conf

EXTARCT (inline extraction) is defined in props.conf as standalone
REPORT (field transform) is defined in transform.conf and invoked from props.conf

twinspop · ‎07-28-2016

Ah crap, you're right. Too early in the morning. 🙂

nikkkc · ‎07-28-2016

xxs Security deletes some characters...

Hi,
i try to extract a field in props.conf on search head/indexer. Data comes from UF.

props.conf
[mysyslog]
EXTRACT-level = "var/log/remote/smg/mail\d+/\w+/(?<level>[^/]*)/" in source

source: /var/log/remote/smg/mail01/mail/info/xxxxx.log

the regex work´s in search:
....| rex field=source "var/log/remote/smg/mail\d+/\w+/(?<level>[^/]*)/"

but not in props.conf??
Why? i tried with quotes and without quotes....

pradeepkumarg · ‎07-28-2016

You definitely don't need quotes. verify your updated props.conf is on your intended search head. you can also check this with the btool command

./splunk cmd btool props list

props.conf field extraction

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

props.conf field extraction

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?