Solved: Re: How to edit my props.conf for a custom field e...

hortonew · ‎08-24-2016

I'm having issues creating a custom field extraction based on the source field. Here's all the information.

inputs.conf - Heavy Forwarder

[monitor:///mnt/splunkLogShare/TS2/...]
disabled = 0
index = test
sourcetype = Support:TS2

props.conf - Search Head (metadata [props] export=system)

[Support:*]
EXTRACT-custom_extracted_field = /mnt/splunkLogShare/(TS1|TS2|TS3|TS4|TS5)/(?<custom_extracted_field>[^/]+)/.* in source

Directory structure - Heavy Forwarder

/mnt/splunkLogShare/TS2/300-222222/file1.txt
/mnt/splunkLogShare/TS2/300-222222/file2.txt
/mnt/splunkLogShare/TS2/300-222222/dir1/
/mnt/splunkLogShare/TS2/300-222222/dir1/file3.txt

Searching for the following returns nothing as custom_extracted_field doesn't exist

index=test custom_extracted_field=300-222222

Searching the following creates custom_extracted_field without issue

index=test source=\*300-222222\* | rex field=source "/mnt/splunkLogShare/(TS1|TS2|TS3|TS4|TS5)/(?[^/]+)/.*"

No automatic field extraction is happening. Thoughts?

dshpritz · ‎08-24-2016

Worked with hortonew via IRC. Looks like it was just a bad props spec 🙂

Edit: You still cannot do wildcards like * for sourcetype specs in props 😞

View solution in original post

dshpritz · ‎08-24-2016

Worked with hortonew via IRC. Looks like it was just a bad props spec 🙂

Edit: You still cannot do wildcards like * for sourcetype specs in props 😞

hortonew · ‎08-24-2016

Seems you can't add a sourcetype spec with a wildcard. Added each sourcetype individually and it started working. e.g.:

[Support:TS1]
EXTRACT-...
[Support:TS2]
EXTRACT-...

How to edit my props.conf for a custom field extraction based on the source field?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?