Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn search '... | extract access-extractions' into a props.conf file?

Pierceyuk
Path Finder
‎06-02-2014 07:54 AM

Hey All,

So i have some web logs, lets call them source type 'webbylogs'.
If I search 'sourcetype=webbylogs | extract access-extractions' then everything gets extracted and all the fields are there and its all amazing.

How can I make this work in a props.conf?
I tried:

props.conf
[webbylogs]
REPORT-webbylogs = access-extractions
LOOKUP-IPlookup = lookup src_ip OUTPUT is_internal

As I have a lookup I want to work after this. But nothing happens. I pushed this to my search head, should it be indexer?

Am I missing something obvious?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pierceyuk
Path Finder
‎06-03-2014 03:48 AM

The issue was that the source type was actually webbyLogs with a capital L. and in the props file I had it all in lower case (like every other sourcetype).

thanks to MuS for all your pointers and help

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pierceyuk
Path Finder
‎06-03-2014 03:48 AM

The issue was that the source type was actually webbyLogs with a capital L. and in the props file I had it all in lower case (like every other sourcetype).

thanks to MuS for all your pointers and help

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎06-02-2014 11:41 PM

Hi Pierceyuk,

do you have a access-extractions stanza in your transforms.conf? see docs http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Managesearch-timefieldextractions

Also check out this awesome wiki page http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings where you can see that this should be placed on the search head.

cheers, MuS

Reply
Solved! Jump to solution

MuS
Legend
‎06-03-2014 01:22 AM

You can use the btool to check if there is any mismatch for props and/or transforms over all apps like this:

splunk cmd btool --debug props list
splunk cmd btool --debug transforms list

Also the copy approach is good for try&error it will do no harm.

Reply
Solved! Jump to solution

Pierceyuk
Path Finder
‎06-03-2014 01:07 AM

the access-extractions is a built in extraction located in /opt/splunk/etc/system/default/transforms.conf Do you think I should just copy the code out and put it in a transforms.conf in this little extraction app?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top