Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn search '... | extract access-extractions' into a props.conf file?

Pierceyuk
Path Finder
‎06-02-2014 07:54 AM

Hey All,

So i have some web logs, lets call them source type 'webbylogs'.
If I search 'sourcetype=webbylogs | extract access-extractions' then everything gets extracted and all the fields are there and its all amazing.

How can I make this work in a props.conf?
I tried:

props.conf
[webbylogs]
REPORT-webbylogs = access-extractions
LOOKUP-IPlookup = lookup src_ip OUTPUT is_internal

As I have a lookup I want to work after this. But nothing happens. I pushed this to my search head, should it be indexer?

Am I missing something obvious?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pierceyuk
Path Finder
‎06-03-2014 03:48 AM

The issue was that the source type was actually webbyLogs with a capital L. and in the props file I had it all in lower case (like every other sourcetype).

thanks to MuS for all your pointers and help

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pierceyuk
Path Finder
‎06-03-2014 03:48 AM

The issue was that the source type was actually webbyLogs with a capital L. and in the props file I had it all in lower case (like every other sourcetype).

thanks to MuS for all your pointers and help

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-02-2014 11:41 PM

Hi Pierceyuk,

do you have a access-extractions stanza in your transforms.conf? see docs http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Managesearch-timefieldextractions

Also check out this awesome wiki page http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings where you can see that this should be placed on the search head.

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-03-2014 01:22 AM

You can use the btool to check if there is any mismatch for props and/or transforms over all apps like this:

splunk cmd btool --debug props list
splunk cmd btool --debug transforms list

Also the copy approach is good for try&error it will do no harm.

Reply
Solved! Jump to solution

Pierceyuk
Path Finder
‎06-03-2014 01:07 AM

the access-extractions is a built in extraction located in /opt/splunk/etc/system/default/transforms.conf Do you think I should just copy the code out and put it in a transforms.conf in this little extraction app?

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...