Hi,
Neither of field extraction stanzas in props.conf works. Weird, for example alternative stanza for sha1 in Splunk Web works correctly.
This works in Splunk Web:
sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational"
| rex field=Hashes "SHA1=(?[a-fA-F0-9]{40})"
This stanza in props.conf does not work
EXTRACT-sha1 = SHA1=(?[a-fA-F0-9]{40}) in Hashes
Why?
Tomas
↧