Splunk Search

How to troubleshoot why props.conf field extractions are not being applied?

ltrand
Contributor

So I've been having a difficult time with doing field extractions and not getting the results I expect. In a single instance VM it works perfectly, however in my production systems none of my attempts at extract or transform has worked. With that said, I've racked my brain trying to get a props config to work.

props.conf

[sourcetype4]
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
pulldown_type = true
EXTRACT-timestamp,EVENT,Session_ID,SID,UserName,OSUserID,MachineName,Module = ^"(?P<timestamp>[^"]+)","(?P<EVENT>\w+)","(?P<Session_ID>\d+)(?:[^"\n]*"){2}(?P<SID>\d+)","(?P<UserName>[^"]+)[^,\n]*,"(?P<OSUserID>[^"]+)","(?P<MachineName>\w+\\\w+)[^,\n]*,"(?P<Module>[^"]+)

In the VM it works perfect, but when I put it to the search head in production it fails to do anything at all. I get no errors with the btool, I don't see anything that would supersede the config, and not a single field extracted. Heck, in the test VM it's correctly grabbing timestamp but not in production. Can anyone help with troubleshooting this? What is the best way in which I can trace out exactly when each stanza is being hit?

Thanks!

0 Karma
1 Solution

esix_splunk
Splunk Employee
Splunk Employee

Where do you have this props at in your production environment? This should be on the search head, as EXTRACT is a search time operation. I would pipe that to rex and make sure it works at search time.

Also, this may not be relevant, but I am not sure if commas work in extract statements: EXTRACT-name,name,name. Might try changing this to EXTRACT-name-name-name..

If you can post examples of your data, we can validate the FEX also.

View solution in original post

esix_splunk
Splunk Employee
Splunk Employee

Where do you have this props at in your production environment? This should be on the search head, as EXTRACT is a search time operation. I would pipe that to rex and make sure it works at search time.

Also, this may not be relevant, but I am not sure if commas work in extract statements: EXTRACT-name,name,name. Might try changing this to EXTRACT-name-name-name..

If you can post examples of your data, we can validate the FEX also.

ltrand
Contributor

Thanks for the pointer. I took a second look at the regex and I was one character off. The commas work in the extract statement, as I now pull all of the fields correctly.

Thanks for the sanity reminder!

muebel
SplunkTrust
SplunkTrust

whats the OS in each case?

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...