×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
harry17preet
Explorer
Member since: ‎05-18-2022
‎07-20-2022
Community Statistics
Posts 4
Solutions 0
Karma Given 3
Karma Received 0
Member Since ‎05-18-2022
Activity Feed
View All

Re: Help getting field extraction from information...

by in Getting Data In
‎05-19-2022 06:11 PM
‎05-19-2022 06:11 PM
Hi @VatsalJagani , thanks heaps. that works. Are you also able to provide me details on search time extraction.  Same details only change change is source file name will vary like : /opt/splunk/etc/apps/ce/local/app/ce_*_data2_*_*.txt. Cheers ... View more

Re: Help getting field extraction from information...

by in Getting Data In
‎05-19-2022 01:22 AM
‎05-19-2022 01:22 AM
Hi @isoutamo  I would like to do it during indexing.  How can I do that via props.conf and transforms.conf. Are you able to show me the props and transforms configurations. ... View more

Re: Help getting field extraction from information...

by in Getting Data In
‎05-19-2022 01:21 AM
‎05-19-2022 01:21 AM
Hi @VatsalJagan  I would like to do it during indexing.  How can I do that via props.conf and transforms.conf. Are you able to show me that props and transforms configurations. ... View more

Help getting field extraction from information in ...

by in Getting Data In
‎05-18-2022 05:55 PM
‎05-18-2022 05:55 PM
Hi All, I am ingesting some logs from Heavy Forwarder and then sending them to indexers. *Snippet from inputs.conf on the Universal Forwarder [monitor:///opt/splunk/etc/apps/nonprod_apicalls/local/ce_p2_srv_data2_env_getstats_port.txt] disabled = false sourcetype = my:api:ce2 index = internet I would like to extract "data2" text from the filename.  I did a rex field extraction on search head and it works giving me "instance" field name under interesting fields on Search UI. Below is the regex I used | rex field=source "\/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+)"   So next step I did is created props.conf with below configuration [my:api:ce2] EXTRACT-instance = \/(.+\/)(?:[^_]+_[^_]+_[^_]+_)(?<instance>[^_]+) in source   Restarted the splunk service on Heavy Forwarder, but it doesn't work. Can someone advise me if I am doing something wrong here or what is the issue. Thankyou Harry ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎07-20-2022 07:02 AM
Karma given to
View All