Splunk Search

Props and field extraction not working

paul_1994
Path Finder

I was using IFX and regex to extarct fields from my log but I keep getting this error in the Splunkd Log

03-13-2013 05:45:49.662 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=edit, customAction="acl", item="iis-xpox : REPORT-iismpos"). This may be a bug.

03-13-2013 05:11:42.920 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=list, customAction="acl", item="mpos-devicelog : EXTRACT-xpox-devicelog")

This error pops up everytime I try to change the permissions on the extraction.

This was placed in etc\system\local\props.conf

[xpox-devicelog]
EXTRACT-category-message = [^\]\n]*\]\s+(?P<category>\[([^ ]+|\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+|)\])\s+(?P<message>.+)

Any help appreciated

0 Karma

paul_1994
Path Finder

Here was my workaround for now. I moved these configs out of etc\system\local and created another app. This seems to be working for now.

0 Karma

paul_1994
Path Finder

version 4.3.5

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Make sure that $APP_HOME/metadata has two files: default.meta and local.meta. $APP_HOME is whatever app you were in at the time the error occurred. You should also check those files for anything relating to "iis-xpox" or "xpox-devicelog" to make sure you have permissions to those files. Also, might be a bug (what version Splunk do you have?)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Yeah, those are the metadata for the system folder. Don't mess with the default one, but check the local one for your stanzas.

0 Karma

paul_1994
Path Finder

Is there a metedata for etc\system\local? files..
There is a etc\system\metadata in which both files are there ( default & local)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

What version of Splunk?

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...