I am trying to extract a portion of the source as a field. Here's what the source looks like:
D:\Host Logs\info.server.02.mfl
I'm trying to extract "info" from the source filename and this works perfectly as a splunk search:
search | rex field=source "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)"
But if I put this in props.conf for this sourcetype as a search-time extraction, it's not working:
EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source
I've tried multiple versions of this, taking out the extra "\", removing the quotes, etc., but cant seem to get this field to extract. A "splunk btool props list..." shows that the props.conf file is being used. It's in an app in /opt/splunk/etc/apps. This is Splunk Enterprise 8.0.4.1.
Edit: Here are all the versions I've tried so far...
EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source
EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL) in source
EXTRACT-sourcefield = "D:\\\Host Logs\\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source
EXTRACT-sourcefield = "D:\\Host Logs\\(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)" in source
Or you can try:
EXTRACT-sourcefield = D:\x5CHost Logs\x5C(?<newfield>[\w]+).\w+.\w+.(mfl|MFL)
Thanks @amiftah_splunk - unfortunately, this isn't working either.
Are you extracting from a field?
You may need to use transforms:
transforms.conf:
[example]
SOURCE_KEY = source
REGEX = <your_regex>
props.conf:
REPORT-example = example
Tried using REPORT and transforms, but still no good extraction...
Yes, extracting from the source field. I haven't tried going the REPORT route and using transforms.conf because its a simple inline extraction that shouldnt require transforms, per the documentation. Maybe worth giving it a shot though.
Have you tried this?
EXTRACT-sourcefield = D:\\Host Logs\\(?<newfield>[\w]+)\.\w+\.\w+\.(mfl|MFL) in source
Thanks @richgalloway - yes I've tried that in props, but no extraction.