Solved: Splunk for Exchange Field Extractions

lhollada0 · ‎06-29-2012

Hello, I'm having some issues getting field extractions to work correctly. I've deployed the "TA-Windows-2008R2-Exchange-IIS" app to my CAS server, using the Universal Forwarder. I have the props.conf and transforms.conf in the same directory as the inputs.conf. But when I search the IIS logs on my search head, the fields defined in transforms.conf are not present.

I'm sure I'm missing something here regarding the different between search-time and index-time field extractions, and the inability of the forwarder to parse data. Any help would be appreciated.

ahall_splunk · ‎07-01-2012

The field extraction definitions are held in both the TA (as globally accessible extractions) and Splunk_for_Exchange (as local extractions). As such, if you have only installed Splunk_for_Exchange on your indexer/search head, then you will only see the extractions within the Splunk_for_Exchange app. There is a search bar in the overview screen of the Splunk_for_Exchange app that will allow you to view the extractions.

View solution in original post

ahall_splunk · ‎07-01-2012

The field extraction definitions are held in both the TA (as globally accessible extractions) and Splunk_for_Exchange (as local extractions). As such, if you have only installed Splunk_for_Exchange on your indexer/search head, then you will only see the extractions within the Splunk_for_Exchange app. There is a search bar in the overview screen of the Splunk_for_Exchange app that will allow you to view the extractions.

lhollada0 · ‎07-24-2012

Thanks for the clarification. Another thing I needed to do was to modify props.conf because I am already indexing the IIS logs under a different sourcetype. Looks good now.

Splunk for Exchange Field Extractions

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor