Using the docs here: http://docs.splunk.com/Documentation/Splunk/6.5.2/Admin/Propsconf, specifically this section:
* Use ' in ' to match the regex against the values of a
specific field. Otherwise it just matches against _raw (all raw event
data).
I came up with this:
EXTRACT-metric_parts = : (.*) in metric_path
All the field extractions in metric_parts work fine, but metric_test doesn't appear (it should be a duplicate of metric_path, according to my understanding of the readme).
Is there a limitation I'm missing here? Can src_field only be one of the automatic fields like source?
↧