Splunk Enterprise

EXTRACT-field command is not working in Splunk cloud for props.conf file

vjsplunk
Loves-to-Learn Everything

I am trying to add an EXTRACT-field command in Splunk cloud. I added the regex, it is working in search and capturing the value. But the field is not populating when applied to the props.conf file. The value I want to extract is "Stage=number". The regex I created is: 

EXTRACT-Stage = Stage=(?<Stage>\d+)


What could be the reason?

Labels (2)
0 Karma

vjsplunk
Loves-to-Learn Everything

Sample logs looks like this:

adshdsfkdlfpofgsk message hdksodb Stage=8 gjhjyeomhf hjhdgy …
 

I deployed the configurations in the cloud instance from the settings > sourcetypes option.

0 Karma

PaulPanther
Motivator

First, Key value pairs (field=value) are usually auto extracted when KV_MODE is set to auto in props.conf.

Configure automatic key-value field extraction - Splunk Documentation

If it is set to none please set your field extraction under Settings --> Fields --> Field extractions that's the right place for it.

0 Karma

PaulPanther
Motivator

Please share some sample data and explain how and where you configured the props.conf.

0 Karma
Get Updates on the Splunk Community!

Message Parsing in SOCK

Introduction This blog post is part of an ongoing series on SOCK enablement. In this blog post, I will write ...

Exploring the OpenTelemetry Collector’s Kubernetes annotation-based discovery

We’ve already explored a few topics around observability in a Kubernetes environment -- Common Failures in a ...

Use ‘em or lose ‘em | Splunk training units do expire

Whether it’s hummus, a ham sandwich, or a human, almost everything in this world has an expiration date. And, ...