Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to apply index-time field extractions through props.conf and transforms.conf to incoming data?

DanielAden
Explorer
‎04-14-2015 03:17 PM

I am trying to add an index-time extraction to a current data input by going to Setting > Data Inputs > TCP > [TCP PORT] > Select source type from list, however, my custom extraction does not appear. Here are the relevant bits of my transforms.conf and props.conf:

# props.conf
[unique_apache_custom]
TRANSFORMS-r1 = uniquel_apache_custom_fields

# transforms.conf
[unique_apache_custom_fields]
REGEX = (\S+)\]\s+(\S+)[\s-]+(\[.+\]) \"(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT) (\S+) (\S+)\" (\d+) (\d+) \"(\S+)\" \"(\S+)(?: (\(.+\))(?: (\S+) (\S+))?\")?
FORMAT = source::$1 clientip::$2 timestamp::$3 method::$4 url::$5 protocol::$6 status::$7 bytes::$8 hosturl::$9

How do I apply this to my incoming data?

If any more info is needed please let me know.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DanielAden
Explorer
‎04-16-2015 09:13 AM

Thank you for your help, it turned out I was just missing pulldown_type = true, which was making the type not appear on the list.

View solution in original post

Reply
Solved! Jump to solution
Solution

DanielAden
Explorer
‎04-16-2015 09:13 AM

Thank you for your help, it turned out I was just missing pulldown_type = true, which was making the type not appear on the list.

Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-14-2015 04:11 PM

Ubdate your props.conf like this and let me know if ok.

# props.conf
 [unique_apache_custom]
 REPORT-r1 = uniquel_apache_custom_fields
SGF
0 Karma
Reply
Solved! Jump to solution

DanielAden
Explorer
‎04-14-2015 04:45 PM

Edited my props.conf like above, restarted splunk and still no good.

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-14-2015 04:56 PM

Where did you put your file? Make shure you have put it in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/local. And let me know again.
Thanks

SGF
0 Karma
Reply
Solved! Jump to solution

DanielAden
Explorer
‎04-14-2015 05:16 PM

Currently props.conf and transforms.conf are both located at $SPLUNK_HOME/etc/apps/local. Also, if it is relevant, their permissions are -rw-r--r--. I have had them at these locations before without issue but I will try them at the locations you suggested.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...