Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn search '... | extract access-extractions' into a props.conf file?

Pierceyuk
Path Finder
‎06-02-2014 07:54 AM

Hey All,

So i have some web logs, lets call them source type 'webbylogs'.
If I search 'sourcetype=webbylogs | extract access-extractions' then everything gets extracted and all the fields are there and its all amazing.

How can I make this work in a props.conf?
I tried:

props.conf
[webbylogs]
REPORT-webbylogs = access-extractions
LOOKUP-IPlookup = lookup src_ip OUTPUT is_internal

As I have a lookup I want to work after this. But nothing happens. I pushed this to my search head, should it be indexer?

Am I missing something obvious?

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Pierceyuk
Path Finder
‎06-03-2014 03:48 AM

The issue was that the source type was actually webbyLogs with a capital L. and in the props file I had it all in lower case (like every other sourcetype).

thanks to MuS for all your pointers and help

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Pierceyuk
Path Finder
‎06-03-2014 03:48 AM

The issue was that the source type was actually webbyLogs with a capital L. and in the props file I had it all in lower case (like every other sourcetype).

thanks to MuS for all your pointers and help

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-02-2014 11:41 PM

Hi Pierceyuk,

do you have a access-extractions stanza in your transforms.conf? see docs http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/Managesearch-timefieldextractions

Also check out this awesome wiki page http://wiki.splunk.com/Where_do_I_configure_my_Splunk_settings where you can see that this should be placed on the search head.

cheers, MuS

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎06-03-2014 01:22 AM

You can use the btool to check if there is any mismatch for props and/or transforms over all apps like this:

splunk cmd btool --debug props list
splunk cmd btool --debug transforms list

Also the copy approach is good for try&error it will do no harm.

Reply
Solved! Jump to solution

Pierceyuk
Path Finder
‎06-03-2014 01:07 AM

the access-extractions is a built in extraction located in /opt/splunk/etc/system/default/transforms.conf Do you think I should just copy the code out and put it in a transforms.conf in this little extraction app?

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...