Splunk Search
Highlighted

Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Path Finder

I have created source stanza and tried to extract fields within the source. The path of the source is :

C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt

If I define the stanza with the full path like below in the props.conf. I am able to extract fields from the source

                    [source::C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt]
        EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
        EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)

But, if i try with regex like below I 'm not able to extract fields from the same source

        [source::C:\\Users\\....\\Splunk\\28_09_2014_dbg.txt]
        EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
        EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)

What is wrong with the config? Please help.

Highlighted

Re: Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Motivator

Have you tried:

[source::C:\Users\...\Splunk\*_dbg.txt]

According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards

Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter

Regards
Chris

View solution in original post

Highlighted

Re: Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Path Finder

I have tried like this [source::C:\Users\....\Splunk\28_09_2014_dbg.txt]
it won't work. do u want me to try with 3 dots.

I already upload hundreds of differnt sources files with same sourcetype. changing the sourcetype each file is difficult. how can i proceed

0 Karma
Highlighted

Re: Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Motivator

If all the different files have the same format-> you should be fine with one sourcetype. If every file is from a different source(syslog,java,json,xml differen Application every time) then sourcetypes will not help immediatly. But usuallly people work with data from one or a couple of applications.

0 Karma
Highlighted

Re: Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Motivator

Oh and yes have a go with 3 dots you might get lucky

0 Karma
Highlighted

Re: Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Path Finder

Ya you are right. 3 dots works 🙂

Chris in our senario we have all the files follows either of 3 different format. But, the sourcetype is assigned same for all the files. Is there any solution to extract with sourcetype in props.conf

0 Karma