Re: Props.conf EXTRACT stopped working after stanz...

Burritobizon · ‎05-25-2018

Hello!

This morning, i have changed the configuration of an inline extraction in props.conf.
The original Extraction (this worked):

[source::///var/log/containers/*.log]
EXTRACT-sourcedata = (?<containers>(?<=containers\/).*?(?=_)).(?<namespace>.*(?=_)).(?<service>.*(?=-)) in source

I then changed the extraction to this:

[docker_json]
EXTRACT-sourcedata = (?<containers>(?<=containers\/).*?(?=_)).(?<namespace>.*(?=_)).(?<service>.*(?=-)) in source

because the inputs.conf file defines the sourcetype as follows ...

[monitor:///var/log/containers/*.log]
sourcetype = docker_json
disabled = 0

..., this should work.
however, the change did not work. I proceeded to undo said change, yet the old extraction stopped working as well.

Why is that? Does it take time for splunk to apply inline extractions?

Burritobizon · ‎05-25-2018

I have found the answer as to why the old extraction didn't work:

despite that inputs.conf defines the input as follows:

[monitor:///var/log/containers/*.log]

the stanza in props.conf has to be as follows:

[source::/var/log/containers/*.log]

I apologise for above error also being present in the working version above.
However, that does not explain why the new extraction (using the sourcetype) does not work.

FrankVl · ‎05-25-2018

At risk of stating the obvious, but:
- did you deploy the config in the right place (your search head(s))?
- you're not rewriting the sourcetype to something else at index time?
- no conflicting configs due to previous attempts? (e.g. check with btool)

Props.conf EXTRACT stopped working after stanza change

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases