Solved: Index time Search Not Working

NAVEEN_CTS · ‎05-08-2019

Hi ,

I have dns file where i need to filter the junk data before indexing and extract hostname and IP fields at index time.

Filtering logic works well
Regex works well. It is tested in splunk search.
I get only 1 field extracted (IP alone) and HostName is not extracted.

Below are my configurations.Please review and let me know if something missing

Props.conf
[dig]
TRANSFORMS-drop = delLines
TRANSFORMS-dnsExtract = hostExtraction
TRANSFORMS-dnsExtract = IPExtraction

Transforms.conf

[delLines]
REGEX = ^;.*$
DEST_KEY = queue
FORMAT = nullQueue

[hostExtraction]
REGEX = ^(?P[^\t]+)

FORMAT = HostName::"$1"

WRITE_META = true

[IPExtraction]
REGEX = (?\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})

FORMAT = IP::"$1"

WRITE_META = true

koshyk · ‎05-08-2019

The reason i guess is you made a small mistake of using same name within props.conf . Please try like below

[dig]
TRANSFORMS-drop = delLines
TRANSFORMS-dnsExtract1 = hostExtraction
TRANSFORMS-dnsExtract2 = IPExtraction

woodcock · ‎05-08-2019

I agree with @koshyk but I would probably fix it like this:

Props.conf

[dig]
TRANSFORMS-drop = delLines
TRANSFORMS-dnsExtract = hostExtraction, IPExtraction

NAVEEN_CTS · ‎05-08-2019

@woodcock Thank you it worked 🙂

koshyk · ‎05-08-2019

The reason i guess is you made a small mistake of using same name within props.conf . Please try like below

[dig]
TRANSFORMS-drop = delLines
TRANSFORMS-dnsExtract1 = hostExtraction
TRANSFORMS-dnsExtract2 = IPExtraction

NAVEEN_CTS · ‎05-08-2019

@koshyk Thank you .....it worked 🙂

NAVEEN_CTS · ‎05-08-2019

I missed adding fields.conf

Fields.conf
[HostName]
INDEXED = true

[IP]
INDEXED = true

Index time Search Not Working