Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help to use EXTRACT in props.conf

avoelk
Communicator
‎11-11-2020 02:52 AM

I've been trying to extract fields from a log at search time with only the help of props.conf. in the spunk docu I read that EXTRACT would be good in that case, especially cause I try to extract multiple fields at once. 

 

this is my EXTRACT in props.conf so far:

 

 

EXTRACT-fields = (?P<src_ip>\d*\.\d*\.\d*\.\d*)(?=\ \d* TCP_)\s(?P<bits>\d*)\s(?P<tcp_state>\w*_\w*)\s

 

 

this would go on for a while with different fields but it doesn't work. what do I do wrong? 

this is how the log looks like for example: 

 

 

2014-03-27 12:39:32 20 10.71.15.207 304 TCP_HIT 367 1470 GET http www.computerworld.com 80 /elqNow/elqFCS.js - - - - 23.196.74.53 application/x-javascript http://www.computerworld.com/s/article/9247206/Gameover_malware_takes_aim_at_Monster.com_and_CareerBuilder.com "Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)" OBSERVED "Technology/Internet" - 163.252.254.201 23.44.202.53 52809

 

 

 

Thanks a lot for any help!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

avoelk
Communicator
‎11-11-2020 03:08 AM

yeah well I guess I have the solution again... *facepalm*. 

I've made an field extraction via splunk gui - settings - fields - field extraction and looked at the output. there it said the name of the extraction was 

EXTRACT-src_ip,bits,tcp_state

so using this in my props.conf instead of only -fields made it work.... gosh. 

hope this helps anyone who comes across this little problem. 

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

avoelk
Communicator
‎11-11-2020 03:08 AM

yeah well I guess I have the solution again... *facepalm*. 

I've made an field extraction via splunk gui - settings - fields - field extraction and looked at the output. there it said the name of the extraction was 

EXTRACT-src_ip,bits,tcp_state

so using this in my props.conf instead of only -fields made it work.... gosh. 

hope this helps anyone who comes across this little problem. 

0 Karma
Reply
Get Updates on the Splunk Community!

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital ResilienceTune in to What’s New in Splunk Enterprise ...

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...