Solved: Re: Why does props.conf stanza with the full path ...

Mubarish · ‎09-10-2014

I have created source stanza and tried to extract fields within the source. The path of the source is :

C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt

If I define the stanza with the full path like below in the props.conf. I am able to extract fields from the source

                    [source::C:\Users\xbbxxxx\Desktop\Splunk\28_09_2014_dbg.txt]
        EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
        EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)

But, if i try with regex like below I 'm not able to extract fields from the same source

        [source::C:\\Users\\....\\Splunk\\28_09_2014_dbg.txt]
        EXTRACT-Filename_sourcedbg = Final Filename (was\s)?\[(?<Fname>.*)](. Connected| in directory)
        EXTRACT-Username_sourcedbg = .*(?:UserID \[|Connected to \[)(?<Uname>\S+)(@\S+]|@\S+]. Timeout)

What is wrong with the config? Please help.

chris · ‎09-10-2014

Have you tried:

[source::C:\Users\...\Splunk\*_dbg.txt]

According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards

Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter

Regards
Chris

View solution in original post

chris · ‎09-10-2014

Have you tried:

[source::C:\Users\...\Splunk\*_dbg.txt]

According to the documentation Splunk uses 3 dots (...) to recurse through directories until the match is met:
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Specifyinputpathswithwildcards

Usually it is better to work with sourcetypes rather than using sources for your stanzas in props.conf (but maybe you're using the config you have for a reason I don't know):
http://docs.splunk.com/Documentation/Splunk/6.1.3/Data/Whysourcetypesmatter

Regards
Chris

Mubarish · ‎09-10-2014

Ya you are right. 3 dots works 🙂

Chris in our senario we have all the files follows either of 3 different format. But, the sourcetype is assigned same for all the files. Is there any solution to extract with sourcetype in props.conf

chris · ‎09-10-2014

Oh and yes have a go with 3 dots you might get lucky

chris · ‎09-10-2014

If all the different files have the same format-> you should be fine with one sourcetype. If every file is from a different source(syslog,java,json,xml differen Application every time) then sourcetypes will not help immediatly. But usuallly people work with data from one or a couple of applications.

Mubarish · ‎09-10-2014

I have tried like this [source::C:\Users\....\Splunk\28_09_2014_dbg.txt]
it won't work. do u want me to try with 3 dots.

I already upload hundreds of differnt sources files with same sourcetype. changing the sourcetype each file is difficult. how can i proceed

Why does props.conf stanza with the full path name extract fields from the source, but not with my regex?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio