https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546117#M5466 <P>In transforms.conf I can use DELIMS to extract the field by fixed format.</P> <P>My question is, if one of the field is changeable, how can we resolve that?</P> <P>Thanks,</P> <P>Michael</P> Wed, 15 May 2024 15:43:44 GMT michael_wong 2024-05-15T15:43:44Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546117#M5466 <P>In transforms.conf I can use DELIMS to extract the field by fixed format.</P> <P>My question is, if one of the field is changeable, how can we resolve that?</P> <P>Thanks,</P> <P>Michael</P> Wed, 15 May 2024 15:43:44 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546117#M5466 michael_wong 2024-05-15T15:43:44Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546120#M5467 Are those in some log file/feed or are they from different source/logs? Wed, 31 Mar 2021 05:01:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546120#M5467 isoutamo 2021-03-31T05:01:58Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546500#M5468 <P>No, they are same source, but have a bit difference since configuration inconsistent</P> Fri, 02 Apr 2021 09:00:12 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546500#M5468 michael_wong 2021-04-02T09:00:12Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546505#M5469 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/57529">@michael_wong</a>,</P> <P>You can use host based transforms to achieve this. Define new transform setting &nbsp;And call this transform using host stanza.</P> Wed, 15 May 2024 15:44:56 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546505#M5469 scelikok 2024-05-15T15:44:56Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546799#M5518 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/206061">@scelikok</a>,</P> <P>Thanks for your answer. Can you tell more about how to make priority?</P> <P>I have made the change, but looks it didn't take effect. If two report defined in transform.conf, which one will take effect?</P> Wed, 15 May 2024 15:45:21 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/546799#M5518 michael_wong 2024-05-15T15:45:21Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/547713#M5574 <P>Here is defined precedences over source, host, sourcetype&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf" target="_blank">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf</A>.</P><P>Can you share your configurations, so we can easier help you.</P><P>r. Ismo</P> Tue, 13 Apr 2021 05:39:29 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-field-with-variable-field/m-p/547713#M5574 isoutamo 2021-04-13T05:39:29Z