Hi,
We have a search that extracts Customer and Country correctly
index=aaa host="*Host1*" sourcetype=aaa_bbb | rex field=source "C:\\\DIR\\\(?\w*)\\\(?\w*)" | table source,Customer,Country
source example = C:\DIR\CustomerX\CountryX\Web\log\2017-12-bbb.log
--
Now we want to use props.conf for extracting these 2 fields
When modifying the props.conf on the Splunk server (/opt/splunk/etc/system/local/props.conf)
[aaa_bbb]
EXTRACT-Customer,Country = C:\\\DIR\\\(?\w*)\\\(?\w*) in source
After rebooting the server the fields are not there (we tried different options, none seem to work)
Please advise how we could extract these fields 'automatically' using props.conf
Thanks
/Edwin
↧