I have created source stanza and tried to extract fields within the source. The path of the source is :
C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt
If I define the stanza with the full path like below in the props.conf. I am able to extract fields from the source
[source::C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt]
EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)
But, if i try with regex like below I 'm not able to extract fields from the same source
[source::C:\\Users\\....\\Splunk\\28_09_2014_dbg.txt]
EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)
What is wrong with the config? Please help.
Have you tried:
[source::C:\Users\...\Splunk\*_dbg.txt]
According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards
Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter
Regards
Chris
Have you tried:
[source::C:\Users\...\Splunk\*_dbg.txt]
According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards
Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter
Regards
Chris
Ya you are right. 3 dots works 🙂
Chris in our senario we have all the files follows either of 3 different format. But, the sourcetype is assigned same for all the files. Is there any solution to extract with sourcetype in props.conf
Oh and yes have a go with 3 dots you might get lucky
If all the different files have the same format-> you should be fine with one sourcetype. If every file is from a different source(syslog,java,json,xml differen Application every time) then sourcetypes will not help immediatly. But usuallly people work with data from one or a couple of applications.
I have tried like this [source::C:\Users\....\Splunk\28_09_2014_dbg.txt]
it won't work. do u want me to try with 3 dots.
I already upload hundreds of differnt sources files with same sourcetype. changing the sourcetype each file is difficult. how can i proceed