- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I unable to apply index-time field extr...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to add an index-time extraction to a current data input by going to Setting > Data Inputs > TCP > [TCP PORT] > Select source type from list, however, my custom extraction does not appear. Here are the relevant bits of my transforms.conf and props.conf:
# props.conf
[unique_apache_custom]
TRANSFORMS-r1 = uniquel_apache_custom_fields
# transforms.conf
[unique_apache_custom_fields]
REGEX = (\S+)\]\s+(\S+)[\s-]+(\[.+\]) \"(OPTIONS|GET|HEAD|POST|PUT|DELETE|TRACE|CONNECT) (\S+) (\S+)\" (\d+) (\d+) \"(\S+)\" \"(\S+)(?: (\(.+\))(?: (\S+) (\S+))?\")?
FORMAT = source::$1 clientip::$2 timestamp::$3 method::$4 url::$5 protocol::$6 status::$7 bytes::$8 hosturl::$9
How do I apply this to my incoming data?
If any more info is needed please let me know.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help, it turned out I was just missing pulldown_type = true, which was making the type not appear on the list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your help, it turned out I was just missing pulldown_type = true, which was making the type not appear on the list.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ubdate your props.conf like this and let me know if ok.
# props.conf
[unique_apache_custom]
REPORT-r1 = uniquel_apache_custom_fields
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Edited my props.conf like above, restarted splunk and still no good.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where did you put your file? Make shure you have put it in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/local. And let me know again.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Currently props.conf and transforms.conf are both located at $SPLUNK_HOME/etc/apps/local. Also, if it is relevant, their permissions are -rw-r--r--. I have had them at these locations before without issue but I will try them at the locations you suggested.
More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk
.conf24 | Personalize your .conf experience with Learning Paths!
Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...
