Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

EXTRACT-field command is not working in Splunk cloud for props.conf file

vjsplunk
Loves-to-Learn Everything
‎11-11-2024 10:03 PM

I am trying to add an EXTRACT-field command in Splunk cloud. I added the regex, it is working in search and capturing the value. But the field is not populating when applied to the props.conf file. The value I want to extract is "Stage=number". The regex I created is: 

EXTRACT-Stage = Stage=(?<Stage>\d+)


What could be the reason?

Labels (2)
0 Karma
Reply

vjsplunk
Loves-to-Learn Everything
‎11-14-2024 12:43 AM

Sample logs looks like this:

adshdsfkdlfpofgsk message hdksodb Stage=8 gjhjyeomhf hjhdgy …
 

I deployed the configurations in the cloud instance from the settings > sourcetypes option.

0 Karma
Reply

PaulPanther
Motivator
‎11-14-2024 12:55 AM

First, Key value pairs (field=value) are usually auto extracted when KV_MODE is set to auto in props.conf.

Configure automatic key-value field extraction - Splunk Documentation

If it is set to none please set your field extraction under Settings --> Fields --> Field extractions that's the right place for it.

0 Karma
Reply

PaulPanther
Motivator
‎11-14-2024 12:11 AM

Please share some sample data and explain how and where you configured the props.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

  Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Wrapping Up Cybersecurity Awareness Month

October might be wrapping up, but for Splunk Education, cybersecurity awareness never goes out of season. ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...