Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Props and field extraction not working

paul_1994
Path Finder
‎03-13-2013 06:03 AM

I was using IFX and regex to extarct fields from my log but I keep getting this error in the Splunkd Log

03-13-2013 05:45:49.662 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=edit, customAction="acl", item="iis-xpox : REPORT-iismpos"). This may be a bug.

03-13-2013 05:11:42.920 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=list, customAction="acl", item="mpos-devicelog : EXTRACT-xpox-devicelog")

This error pops up everytime I try to change the permissions on the extraction.

This was placed in etc\system\local\props.conf

[xpox-devicelog]
EXTRACT-category-message = [^\]\n]*\]\s+(?P<category>\[([^ ]+|\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+|)\])\s+(?P<message>.+)

Any help appreciated

0 Karma
Reply

paul_1994
Path Finder
‎03-13-2013 10:56 AM

Here was my workaround for now. I moved these configs out of etc\system\local and created another app. This seems to be working for now.

0 Karma
Reply

paul_1994
Path Finder
‎03-13-2013 07:28 AM

version 4.3.5

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-13-2013 07:20 AM

Make sure that $APP_HOME/metadata has two files: default.meta and local.meta. $APP_HOME is whatever app you were in at the time the error occurred. You should also check those files for anything relating to "iis-xpox" or "xpox-devicelog" to make sure you have permissions to those files. Also, might be a bug (what version Splunk do you have?)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-13-2013 07:30 AM

Yeah, those are the metadata for the system folder. Don't mess with the default one, but check the local one for your stanzas.

0 Karma
Reply

paul_1994
Path Finder
‎03-13-2013 07:28 AM

Is there a metedata for etc\system\local? files..
There is a etc\system\metadata in which both files are there ( default & local)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-13-2013 07:07 AM

What version of Splunk?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...