Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to configure field extractor for a single source file only

sumituv
New Member
‎10-16-2016 04:53 AM

Hi,

I am configuring Field Extractor to extract fields from a single files directly from events>action>extract fields.

However the same has been getting applied for other csv files as well which is creating conflicts.

If I do this from settings>field extractor then splunk is not extracting events for the source name i have put there in Source name field.

Kindly assist.

0 Karma
Reply

sumituv
New Member
‎10-16-2016 07:50 PM

The app local props.conf file is getting changed.

I repeat my requirement here:

I have configured C:\test\ for monitoring in Splunk

I have different folders under C:\test like
C:\test\test1
c:\test\test2

I want have a field extractor which extracts fields from files stored in C:\test\test1 folder only.

All files are in csv format.

If I configure field extractor directly from event actions menu, it is getting applied for all csv files in the C:\test folder which is creating conflicts.

I checked in props.conf file then I found below commands added which clearly tells SPLUNK to extract fields for all csv files.

Kindly assist me how can I restrict the field extraction.

[csv]
EXTRACT-Date,Computer,IP,Product,Action,Result =\d+\t(?P[^\t]+)\t(?P[^\t]+)\t(?P\d+.\d+.\d+.\d+)\t(?P\w+)\t(?P\w+\s+\w+)[^\t\n]*\t(?P[^\t]+)

0 Karma
Reply

ddrillic
Ultra Champion
‎10-16-2016 12:29 PM

Interesting. After running the field extractor feature from the UI, can you find which props.conf file got changed?

You can run - find . -name props.conf | xargs ls -ltr from the Splunk home directory...

And then, what was the change?

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...