For example:
source = D:\Users\ABC\Desktop\splunk\abc.log
I have extracted the part of string I wanted using (?\w+\.\w+). My sourcetype=log4j
(?\w+\.\w+)
What changes need to be made in props.conf and transforms.conf so that it can reflect in Splunk?
Hi apurva,
For search-time extractions add this to your props.conf
[log4j] EXTRACT-my_ext = your_regex
Hope it helps.
