Splunk Search

Props and field extraction not working

paul_1994
Path Finder

I was using IFX and regex to extarct fields from my log but I keep getting this error in the Splunkd Log

03-13-2013 05:45:49.662 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=edit, customAction="acl", item="iis-xpox : REPORT-iismpos"). This may be a bug.

03-13-2013 05:11:42.920 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=list, customAction="acl", item="mpos-devicelog : EXTRACT-xpox-devicelog")

This error pops up everytime I try to change the permissions on the extraction.

This was placed in etc\system\local\props.conf

[xpox-devicelog]
EXTRACT-category-message = [^\]\n]*\]\s+(?P<category>\[([^ ]+|\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+|)\])\s+(?P<message>.+)

Any help appreciated

0 Karma

paul_1994
Path Finder

Here was my workaround for now. I moved these configs out of etc\system\local and created another app. This seems to be working for now.

0 Karma

paul_1994
Path Finder

version 4.3.5

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Make sure that $APP_HOME/metadata has two files: default.meta and local.meta. $APP_HOME is whatever app you were in at the time the error occurred. You should also check those files for anything relating to "iis-xpox" or "xpox-devicelog" to make sure you have permissions to those files. Also, might be a bug (what version Splunk do you have?)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

Yeah, those are the metadata for the system folder. Don't mess with the default one, but check the local one for your stanzas.

0 Karma

paul_1994
Path Finder

Is there a metedata for etc\system\local? files..
There is a etc\system\metadata in which both files are there ( default & local)

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

What version of Splunk?

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...