yes the data is getting into splunk. however, the fields are not really being extracted properly.

@jaxjohnny2000 Did you ever get the additional fields to extract properly?

Running into the same issues, edited props.conf to look at proper Eventtype but some of the fields are still not extracting properly. For example, Action, By_User and plenty of others. The regex appears to be correct and when tested with rubular as well as the splunk custom field extractor we get the expected results, but they do not carry over into search...

So are you receiving data at all? If so, check the sourcetype. I had to remove the syslog stanza completely.

I have a Syslog-ng listening and then sending to the index cluster sourcetype=secretserver

Then I checked the case of the stanza (does that matter?)

[secretserver]
EXTRACT-EventID = (?i)^(?:[^|]*|){4}(?P[^|]+)
EXTRACT-action = (Action: (?P[[^:]]+]) )
EXTRACT-body = ^([^|]+|){7}(?P[^|]+)
EXTRACT-by_user = (By User: (?P(^:=)+) )
EXTRACT-container_name = (Container Name: (?P[^:=]+(?!suid=)) )
EXTRACT-details = (Details: (?P[^:]+) (suid=))
EXTRACT-event = (Event: (?P[^:]+) )
EXTRACT-file_id = (fileId=(?P[^=]+) )
EXTRACT-file_name = (fname=(?P[^=]+) )
EXTRACT-file_type = (fileType=(?P[^=]+) )
EXTRACT-full_suser = (?i) suser=(?P.+?)\s\S+=
EXTRACT-item_name = (Item Name: (?P[^:=]+(?!suid=)) )
EXTRACT-log_level = ^([^|]+|){6}(?P[^|]+)
EXTRACT-message_name = ^([^|]+|){5}(?P[^|]+)
EXTRACT-preamble = ^(?P[^|]+)|
EXTRACT-product = ^([^|]+|){2}(?P[^|]+)
EXTRACT-receipt_time = (rt=(?P[^=]+) )
EXTRACT-tss_cs1 = (cs1=(?P[^=]+) )
EXTRACT-tss_cs1Label = (cs1Label=(?P[^=]+) )
EXTRACT-tss_cs2 = (cs2=(?P[^=]+) )
EXTRACT-tss_cs2Label = (cs2Label=(?P[^=]+) )
EXTRACT-tss_cs3 = (cs3=(?P[^=]+) )
EXTRACT-tss_cs3Label = (cs3Label=(?P[^=]+) )
EXTRACT-tss_cs4 = (cs4=(?P[^=]+) )
EXTRACT-tss_cs4Label = (cs4Label=(?P[^=]+) )
EXTRACT-tss_msg = (msg=(?P[^=]+) )
EXTRACT-tss_signature_id = ^([^|]+|){4}(?P[^|]+)
EXTRACT-tss_src = (src=(?P[^=]+) )
EXTRACT-tss_suid = (suid=(?P[^=]+) )
EXTRACT-tss_suser = (suser=(?P[^=]+) )
EXTRACT-vendor = ^([^|]+|){1}(?P[^|]+)
EXTRACT-version = ^([^|]+|){3}(?P[^|]+)
FIELDALIAS-aob_gen_syslog_alias_1 = EventID AS signature_id
FIELDALIAS-aob_gen_syslog_alias_10 = action AS change_type
FIELDALIAS-aob_gen_syslog_alias_11 = tss_cs1 AS cs1
FIELDALIAS-aob_gen_syslog_alias_12 = tss_cs2 AS cs2
FIELDALIAS-aob_gen_syslog_alias_13 = tss_cs3 AS cs3
FIELDALIAS-aob_gen_syslog_alias_14 = tss_cs4 AS cs4
FIELDALIAS-aob_gen_syslog_alias_15 = tss_cs4Label AS cs4Label
FIELDALIAS-aob_gen_syslog_alias_16 = tss_cs3Label AS cs3Label
FIELDALIAS-aob_gen_syslog_alias_17 = tss_cs2Label AS cs2Label
FIELDALIAS-aob_gen_syslog_alias_18 = tss_cs1Label AS cs1Label
FIELDALIAS-aob_gen_syslog_alias_19 = tss_msg AS msg
FIELDALIAS-aob_gen_syslog_alias_2 = product AS vendor_product
FIELDALIAS-aob_gen_syslog_alias_20 = tss_signature_id AS signature_id
FIELDALIAS-aob_gen_syslog_alias_3 = product AS app
FIELDALIAS-aob_gen_syslog_alias_4 = log_level AS severity
FIELDALIAS-aob_gen_syslog_alias_5 = suser AS src_user
FIELDALIAS-aob_gen_syslog_alias_6 = suser AS user
FIELDALIAS-aob_gen_syslog_alias_7 = duser AS object
FIELDALIAS-aob_gen_syslog_alias_8 = duid AS object_id
FIELDALIAS-aob_gen_syslog_alias_9 = container_name AS dest
SHOULD_LINEMERGE = 0
pulldown_type = 1

@jaxjohnny2000,

Thanks for providing more info. I moved your comment up to the main post so that it's more visible.

Good luck with your query!

The app is designed to have the Secret server sent directly to an Indexer. However, we are first sending it to a syslog-ng and then then via Heavy Forwarder to the index cluster. Therefore all the panels are setup to use "source=secretserver". But when the syslog server sends the data, the source is the LOG file. So, should we install this app on the indexers, forwarders, and search heads; or just the search heads. Then, the source will change, as the log files rotate. So we can use sourcetype to power all the panels. Should we then update the props.conf file with the sourcetype stanza, secretserver?