EXTRACT-field command is not working in Splunk clo...

vjsplunk · ‎11-11-2024

I am trying to add an EXTRACT-field command in Splunk cloud. I added the regex, it is working in search and capturing the value. But the field is not populating when applied to the props.conf file. The value I want to extract is "Stage=number". The regex I created is:

EXTRACT-Stage = Stage=(?<Stage>\d+)

What could be the reason?

vjsplunk · ‎11-14-2024

Sample logs looks like this:

adshdsfkdlfpofgsk message hdksodb Stage=8 gjhjyeomhf hjhdgy …

I deployed the configurations in the cloud instance from the settings > sourcetypes option.

PaulPanther · ‎11-14-2024

First, Key value pairs (field=value) are usually auto extracted when KV_MODE is set to auto in props.conf.

Configure automatic key-value field extraction - Splunk Documentation

If it is set to none please set your field extraction under Settings --> Fields --> Field extractions that's the right place for it.

PaulPanther · ‎11-14-2024

Please share some sample data and explain how and where you configured the props.conf.

EXTRACT-field command is not working in Splunk cloud for props.conf file

splunk-assist

troubleshooting

See your relevant APM services, dashboards, and alerts in one place with the updated ...

Index This | What goes away as soon as you talk about it?

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

Are you a member of the Splunk Community?