Hello,
I think I know the answer but just want to confirm it. I have a Universal Forwarder and want to extract a field from source and send it to the indexer. It's a regular log (not a CSV, PSV etc...) so I guess I cannot (?) use INDEXED_EXTRACTIONS.
*inputs.conf*
**[monitor://C:\test\testname.log]
sourcetype = mytest**
*props.conf*
**[mytest]
EXTRACT-mytest= C:\\test2\\(?.+).log in source**
If I add this settings to a non-forwarder splunk instance it works perfectly. I am able to extract mytest (**testname** in this example) variable from the source. If I copy the same settings to my universal forwarder it won't work, the data is forwarder but the field is not extracted. Do I have to convert it to a heavy forwarder? Or add these extractions to our indexers?
Was reading this --> https://answers.splunk.com/answers/155234/field-extractions-dont-work-for-forwarded-input-from-universal-forwarder.html?utm_source=typeahead&utm_medium=newquestion&utm_campaign=no_votes_sort_relev
Based on the above, just making sure that Universal Forwarders are not able to extract fields from source unless they are certain file types like CSV, TSV etc... And if it is possible, can someone pass along an example with props ?
Thanks!
↧