Hello Splunkers!!
Below are the sample event and I want to extract some fields into the Splunk while indexing.
I have used below props.conf to extract fields but nothing coming to Splunk in interesting fields.As well as i attched the screenshot of Splunk UI results in the attachment. Please guide me what i need to change in the setting?
[demo]
KEEP_EMPTY_VALS = false
KV_MODE = xml
LINE_BREAKER = <\/eqtext:EquipmentEvent>()
MAX_TIMESTAMP_LOOKAHEAD = 24
NO_BINARY_CHECK = true
SEDCMD-first = s/^.*<eqtext:EquipmentEvent/<eqtext:EquipmentEvent/g
SHOULD_LINEMERGE = false
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%3f%Z
TIME_PREFIX = ((?<!ReceiverFmInstanceName>))<eqtext:EventTime>
TRUNCATE = 100000000
category = Custom
disabled = false
pulldown_type = true
FIELDALIAS-fields_scada_xml = "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.AreaID" AS area "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.ElementID" AS element "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.EquipmentID" AS equipment "eqtext:EquipmentEvent.eqtext:ID.eqtext:Location.eqtext:PhysicalLocation.ZoneID" AS zone "eqtext:EquipmentEvent.eqtext:ID.eqtext:Description" AS description "eqtext:EquipmentEvent.eqtext:ID.eqtext:MIS_Address" AS mis_address "eqtext:EquipmentEvent.eqtext:Detail.State" AS state "eqtext:EquipmentEvent.eqtext:Detail.eqtext:EventTime" AS event_time "eqtext:EquipmentEvent.eqtext:Detail.eqtext:MsgNr" AS msg_nr "eqtext:EquipmentEvent.eqtext:Detail.eqtext:OperatorID" AS operator_id "eqtext:EquipmentEvent.eqtext:Detail.ErrorType" AS error_type "eqtext:EquipmentEvent.eqtext:Detail.Severity" AS severity
=================================
<eqtext:EquipmentEvent xmlns:eqtext="http://vanderlande.com/FM/EqtEvent/EqtEventExtTypes/V1/1/5" xmlns:sbt="http://vanderlande.com/FM/Common/Services/ServicesBaseTypes/V1/8/4" xmlns:eqtexo="http://vanderlande.com/FM/EqtEvent/EqtEventExtOut/V1/1/5"><eqtext:ID><eqtext:Location><eqtext:PhysicalLocation><AreaID>8503</AreaID><ZoneID>3</ZoneID><EquipmentID>3</EquipmentID><ElementID>0</ElementID></eqtext:PhysicalLocation></eqtext:Location><eqtext:Description> LMS not healthy</eqtext:Description><eqtext:MIS_Address>0.3</eqtext:MIS_Address></eqtext:ID><eqtext:Detail><State>WENT_OUT</State><eqtext:EventTime>2024-04-02T21:09:38.337Z</eqtext:EventTime><eqtext:MsgNr>4657614997395580315</eqtext:MsgNr><Severity>LOW</Severity><eqtext:OperatorID>WALVAU-SCADA-1</eqtext:OperatorID><ErrorType>TECHNICAL</ErrorType></eqtext:Detail></eqtext:EquipmentEvent>
The FIELDALIAS attribute extracts fields at search time rather than at index time as requested.
IME, it's unusual to have a single FIELDALIAS attribute define more than one alias. Be sure the props.conf file has line continuation characters (\) between each alias as shown in props.conf.spec. If that doesn't work, then use a separate FIELDALIAS setting for each alias.
Ahh, indeed missed the "when indexing" part but I'd assume it was due to misunderstanding by @uagraw01 how field extractions work - they indeed mostly work during search phase, not while indexing the events.
But in case it was really meant as "index-time aliases" - there is no such thing. Aliasing is always done during search time.
But yes, you can specify multiple field aliases in one alias group (you can check it out in GUI and check what conf file the server writes :-)).
Assuming your naming is OK, check the permissions.
@PickleRick Permission is already set to global already for field alias.
But the aliases must be defined within an app. If that app is not exporting objects, it might cause a problem.
Anyway, global is one thing (exporting globally lets you use the knowledge objects in other apps' scopes), permissions assigned to a knowledge object is something else (you could export globally but only give permissions to selected roles).