how to configure field extractor for a single sour...

sumituv · ‎10-16-2016

Hi,

I am configuring Field Extractor to extract fields from a single files directly from events>action>extract fields.

However the same has been getting applied for other csv files as well which is creating conflicts.

If I do this from settings>field extractor then splunk is not extracting events for the source name i have put there in Source name field.

Kindly assist.

sumituv · ‎10-16-2016

The app local props.conf file is getting changed.

I repeat my requirement here:

I have configured C:\test\ for monitoring in Splunk

I have different folders under C:\test like
C:\test\test1
c:\test\test2

I want have a field extractor which extracts fields from files stored in C:\test\test1 folder only.

All files are in csv format.

If I configure field extractor directly from event actions menu, it is getting applied for all csv files in the C:\test folder which is creating conflicts.

I checked in props.conf file then I found below commands added which clearly tells SPLUNK to extract fields for all csv files.

Kindly assist me how can I restrict the field extraction.

[csv]
EXTRACT-Date,Computer,IP,Product,Action,Result =\d+\t(?P[^\t]+)\t(?P[^\t]+)\t(?P\d+.\d+.\d+.\d+)\t(?P\w+)\t(?P\w+\s+\w+)[^\t\n]*\t(?P[^\t]+)

ddrillic · ‎10-16-2016

Interesting. After running the field extractor feature from the UI, can you find which props.conf file got changed?

You can run - find . -name props.conf | xargs ls -ltr from the Splunk home directory...

And then, what was the change?

how to configure field extractor for a single source file only

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life