I am trying to add new app to do some field extraction at index time. I've used a working app to get my folders and files created. I've tested my regex in online regex tester tools. Restarted service but no luck.
Can somebody direct me to which processor I need to set to debug logging mode to troubleshoot my issue?
Thanks
= ==============================
we have multiple servers performing different roles in splunk. So to make search heads life easier, I was thinking on doing this particular extraction on heavy forwarder.
Here is the props file:
[someDevice]
MAX_TIMESTAMP_LOOKAHEAD = 15
TIME_FORMAT = %b %d %H:%M:%S
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TRANSFORMS-getMyFields = get_type
Here is transforms:
[get_type]
REGEX = ]\:\s(.+?\s[\d]?[\d]?[\d]?)
FORMAT = event_type::$1
My regex is a bitty cumbersome but that is due to various data coming.
Sample of data is as follows:
Sep 11 15:47:20 111.111.111.111 blabla[123]: sometype on bla bla bla the rest doesnt matter
Sep 11 15:47:20 111.111.111.111 blabla[123]: othertype at bla bla bla the rest doesnt matter
Sep 11 15:47:20 111.111.111.111 blabla[123]: newtype 11 for bla bla bla the rest doesnt matter
I want to extract "sometype", "othertype", "newtype 11".
Last one makes my extraction tricky.
... View more