Splunk Search

Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Mubarish
Path Finder

I have created source stanza and tried to extract fields within the source. The path of the source is :

C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt

If I define the stanza with the full path like below in the props.conf. I am able to extract fields from the source

                    [source::C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt]
        EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
        EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)

But, if i try with regex like below I 'm not able to extract fields from the same source

        [source::C:\\Users\\....\\Splunk\\28_09_2014_dbg.txt]
        EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
        EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)

What is wrong with the config? Please help.

1 Solution

chris
Motivator

Have you tried:

[source::C:\Users\...\Splunk\*_dbg.txt]

According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards

Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter

Regards
Chris

View solution in original post

chris
Motivator

Have you tried:

[source::C:\Users\...\Splunk\*_dbg.txt]

According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards

Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter

Regards
Chris

Mubarish
Path Finder

Ya you are right. 3 dots works 🙂

Chris in our senario we have all the files follows either of 3 different format. But, the sourcetype is assigned same for all the files. Is there any solution to extract with sourcetype in props.conf

0 Karma

chris
Motivator

Oh and yes have a go with 3 dots you might get lucky

0 Karma

chris
Motivator

If all the different files have the same format-> you should be fine with one sourcetype. If every file is from a different source(syslog,java,json,xml differen Application every time) then sourcetypes will not help immediatly. But usuallly people work with data from one or a couple of applications.

0 Karma

Mubarish
Path Finder

I have tried like this [source::C:\Users\....\Splunk\28_09_2014_dbg.txt]
it won't work. do u want me to try with 3 dots.

I already upload hundreds of differnt sources files with same sourcetype. changing the sourcetype each file is difficult. how can i proceed

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...