Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- help to use EXTRACT in props.conf
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've been trying to extract fields from a log at search time with only the help of props.conf. in the spunk docu I read that EXTRACT would be good in that case, especially cause I try to extract multiple fields at once.
this is my EXTRACT in props.conf so far:
EXTRACT-fields = (?P<src_ip>\d*\.\d*\.\d*\.\d*)(?=\ \d* TCP_)\s(?P<bits>\d*)\s(?P<tcp_state>\w*_\w*)\s
this would go on for a while with different fields but it doesn't work. what do I do wrong?
this is how the log looks like for example:
2014-03-27 12:39:32 20 10.71.15.207 304 TCP_HIT 367 1470 GET http www.computerworld.com 80 /elqNow/elqFCS.js - - - - 23.196.74.53 application/x-javascript http://www.computerworld.com/s/article/9247206/Gameover_malware_takes_aim_at_Monster.com_and_CareerBuilder.com "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" OBSERVED "Technology/Internet" - 163.252.254.201 23.44.202.53 52809
Thanks a lot for any help!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah well I guess I have the solution again... *facepalm*.
I've made an field extraction via splunk gui - settings - fields - field extraction and looked at the output. there it said the name of the extraction was
EXTRACT-src_ip,bits,tcp_stateso using this in my props.conf instead of only -fields made it work.... gosh.
hope this helps anyone who comes across this little problem.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yeah well I guess I have the solution again... *facepalm*.
I've made an field extraction via splunk gui - settings - fields - field extraction and looked at the output. there it said the name of the extraction was
EXTRACT-src_ip,bits,tcp_stateso using this in my props.conf instead of only -fields made it work.... gosh.
hope this helps anyone who comes across this little problem.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
