I am trying to add an index-time extraction to a current data input by going to Setting > Data Inputs > TCP > [TCP PORT] > Select source type from list, however, my custom extraction does not appear. Here are the relevant bits of my transforms.conf and props.conf:
# props.conf [unique_apache_custom] TRANSFORMS-r1 = uniquel_apache_custom_fields # transforms.conf [unique_apache_custom_fields] REGEX = (\S+)\]\s+(\S+)[\s-]+(\[.+\]) \"(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT) (\S+) (\S+)\" (\d+) (\d+) \"(\S+)\" \"(\S+)(?: (\(.+\))(?: (\S+) (\S+))?\")? FORMAT = source::$1 clientip::$2 timestamp::$3 method::$4 url::$5 protocol::$6 status::$7 bytes::$8 hosturl::$9
How do I apply this to my incoming data?
If any more info is needed please let me know.
Where did you put your file? Make shure you have put it in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/local. And let me know again.
Currently props.conf and transforms.conf are both located at $SPLUNK_HOME/etc/apps/local. Also, if it is relevant, their permissions are -rw-r--r--. I have had them at these locations before without issue but I will try them at the locations you suggested.