Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

EXTRACT-field command is not working in Splunk cloud for props.conf file

vjsplunk
Loves-to-Learn Everything
2 weeks ago

I am trying to add an EXTRACT-field command in Splunk cloud. I added the regex, it is working in search and capturing the value. But the field is not populating when applied to the props.conf file. The value I want to extract is "Stage=number". The regex I created is: 

EXTRACT-Stage = Stage=(?<Stage>\d+)


What could be the reason?

Labels (2)
0 Karma
Reply

vjsplunk
Loves-to-Learn Everything
a week ago

Sample logs looks like this:

adshdsfkdlfpofgsk message hdksodb Stage=8 gjhjyeomhf hjhdgy …
 

I deployed the configurations in the cloud instance from the settings > sourcetypes option.

0 Karma
Reply

PaulPanther
Builder
a week ago

First, Key value pairs (field=value) are usually auto extracted when KV_MODE is set to auto in props.conf.

Configure automatic key-value field extraction - Splunk Documentation

If it is set to none please set your field extraction under Settings --> Fields --> Field extractions that's the right place for it.

0 Karma
Reply

PaulPanther
Builder
a week ago

Please share some sample data and explain how and where you configured the props.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...