I am trying to create a field extraction for events from the source:
WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational
I am able to save it, but when I go to set permissions on it (or edit/move it), I get the following in Splunk web:
Splunk could not perform action for resource data/props/extractions (404, u'Splunk cannot find "data/props/extractions/source::WinEventLog:Microsoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG". [HTTP 404] https://127.0.0.1:8089/servicesNS//search/data/props/extractions/source%253A%253AWinEventLog%253AMic...; [{\'type\': \'ERROR\', \'text\': \'Could not find object id=source%3A%3AWinEventLog%3AMicrosoft-Windows-TerminalServices-Gateway/Operational : EXTRACT-TestRDG\', \'code\': None}]')
I am able to delete it though.
It looks like the forward slash in the source is the problem.
Has anyone encountered this before or know of a work around for it?
They "easy" answer is to avoid using source
and instead sourcetype
. If you must use source
, then try using source = ...Operational
I tested it and this works.
Hello, i am getting the same error but i am using source type that has a forward slash. See error below:
Splunk could not perform action for resource data/props/extractions (404, 'Splunk cannot find "data/props/extractions//nrc/prod/rtp/bi/api : EXTRACT-Exception_Code". [HTTP 404] https://127.0.0.1:8089/servicesNS/klynch/search/data/props/extractions/%252Fnrc%252Fprod%252Frtp%252...; [{\'type\': \'ERROR\', \'code\': None, \'text\': \'Could not find object id=/nrc/prod/rtp/bi/api : EXTRACT-Exception_Code\'}]')
I notice that there are two // in the path leading up to the props entry....
The odd thing is that the extract works, I just cannot edit the entry from the fields extraction page. I need to make the permissions global to all users.