Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to configure field extractor for a single source file only

sumituv
New Member
‎10-16-2016 04:53 AM

Hi,

I am configuring Field Extractor to extract fields from a single files directly from events>action>extract fields.

However the same has been getting applied for other csv files as well which is creating conflicts.

If I do this from settings>field extractor then splunk is not extracting events for the source name i have put there in Source name field.

Kindly assist.

0 Karma
Reply

sumituv
New Member
‎10-16-2016 07:50 PM

The app local props.conf file is getting changed.

I repeat my requirement here:

I have configured C:\test\ for monitoring in Splunk

I have different folders under C:\test like
C:\test\test1
c:\test\test2

I want have a field extractor which extracts fields from files stored in C:\test\test1 folder only.

All files are in csv format.

If I configure field extractor directly from event actions menu, it is getting applied for all csv files in the C:\test folder which is creating conflicts.

I checked in props.conf file then I found below commands added which clearly tells SPLUNK to extract fields for all csv files.

Kindly assist me how can I restrict the field extraction.

[csv]
EXTRACT-Date,Computer,IP,Product,Action,Result =\d+\t(?P[^\t]+)\t(?P[^\t]+)\t(?P\d+.\d+.\d+.\d+)\t(?P\w+)\t(?P\w+\s+\w+)[^\t\n]*\t(?P[^\t]+)

0 Karma
Reply

ddrillic
Ultra Champion
‎10-16-2016 12:29 PM

Interesting. After running the field extractor feature from the UI, can you find which props.conf file got changed?

You can run - find . -name props.conf | xargs ls -ltr from the Splunk home directory...

And then, what was the change?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...