Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Props and field extraction not working

paul_1994
Path Finder
‎03-13-2013 06:03 AM

I was using IFX and regex to extarct fields from my log but I keep getting this error in the Splunkd Log

03-13-2013 05:45:49.662 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=edit, customAction="acl", item="iis-xpox : REPORT-iismpos"). This may be a bug.

03-13-2013 05:11:42.920 -0700 WARN AdminManager - Handler 'props-extract' has not performed any capability checks for this operation(requestedAction=list, customAction="acl", item="mpos-devicelog : EXTRACT-xpox-devicelog")

This error pops up everytime I try to change the permissions on the extraction.

This was placed in etc\system\local\props.conf

[xpox-devicelog]
EXTRACT-category-message = [^\]\n]*\]\s+(?P<category>\[([^ ]+|\w+\s+\w+|\w+\s+\w+\s+\w+\s+\w+|)\])\s+(?P<message>.+)

Any help appreciated

0 Karma
Reply

paul_1994
Path Finder
‎03-13-2013 10:56 AM

Here was my workaround for now. I moved these configs out of etc\system\local and created another app. This seems to be working for now.

0 Karma
Reply

paul_1994
Path Finder
‎03-13-2013 07:28 AM

version 4.3.5

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-13-2013 07:20 AM

Make sure that $APP_HOME/metadata has two files: default.meta and local.meta. $APP_HOME is whatever app you were in at the time the error occurred. You should also check those files for anything relating to "iis-xpox" or "xpox-devicelog" to make sure you have permissions to those files. Also, might be a bug (what version Splunk do you have?)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-13-2013 07:30 AM

Yeah, those are the metadata for the system folder. Don't mess with the default one, but check the local one for your stanzas.

0 Karma
Reply

paul_1994
Path Finder
‎03-13-2013 07:28 AM

Is there a metedata for etc\system\local? files..
There is a etc\system\metadata in which both files are there ( default & local)

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎03-13-2013 07:07 AM

What version of Splunk?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...