I'm having issues creating a custom field extraction based on the source field. Here's all the information.
inputs.conf - Heavy Forwarder
[monitor:///mnt/splunkLogShare/TS2/...]
disabled = 0
index = test
sourcetype = Support:TS2
props.conf - Search Head (metadata [props] export=system)
[Support:*]
EXTRACT-custom_extracted_field = /mnt/splunkLogShare/(TS1|TS2|TS3|TS4|TS5)/(?[^/]+)/.* in source
Directory structure - Heavy Forwarder
/mnt/splunkLogShare/TS2/300-222222/file1.txt
/mnt/splunkLogShare/TS2/300-222222/file2.txt
/mnt/splunkLogShare/TS2/300-222222/dir1/
/mnt/splunkLogShare/TS2/300-222222/dir1/file3.txt
Searching for the following returns nothing as custom_extracted_field doesn't exist
index=test custom_extracted_field=300-222222
Searching the following creates custom_extracted_field without issue
index=test source=\*300-222222\* | rex field=source "/mnt/splunkLogShare/(TS1|TS2|TS3|TS4|TS5)/(?[^/]+)/.*"
No automatic field extraction is happening. Thoughts?
↧