Solved: Which of these field extractions defined in props....

pavanae · ‎11-03-2016

I'd extracted 2 fields in props.conf as below:

[abc_xml_v1]
EXTRACT-abc_rac_cd_instance = ^/(cs|app)/abc/.*/adump/(?[^o][^_]+) in source
EXTRACT-abc_single_cd_instance = ^/(cs|app)/abc/(?[^/]+)/.*/adump/o in source

Which means I'd extracted two fields in a source with the same field name "cd_instance". In such cases, which extraction will Splunk consider for the field "cd_instance" ?

Any idea?

TStrauch · ‎11-03-2016

Hi,

Splunk always processes the props.conf sequential. Which means if you define the same field in two or more Extractions it will always be the value of the last called EXTRACT in props.conf.

Just give me a feedback if this is what you wanted to know. Im not quite sure about.

View solution in original post

TStrauch · ‎11-03-2016

Hi,

Splunk always processes the props.conf sequential. Which means if you define the same field in two or more Extractions it will always be the value of the last called EXTRACT in props.conf.

Just give me a feedback if this is what you wanted to know. Im not quite sure about.

Which of these field extractions defined in props.conf will Splunk consider for this field?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?

Which of these field extractions defined in props.conf will Splunk consider for this field?

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem