https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363149#M7147 <P>Final config looks like this if anyone ever needs it:<BR /> transforms.conf:</P> <PRE><CODE>[SerilogKVPairs] DELIMS = "{,}", ":" [LogLevel] REGEX = ^(?:[^ \n]* ){3}(?P&lt;loglevel&gt;[^ ]+) WRITE_META = true </CODE></PRE> <P>fields.conf:</P> <PRE><CODE>[LogLevel] INDEXED=true </CODE></PRE> <P>props.conf:</P> <PRE><CODE># Extract fields from Serilog log inputs REPORT-SerilogKVPairs= SerilogKVPairs TRANSFORMS-LogLevel= LogLevel </CODE></PRE> Mon, 02 Oct 2017 01:54:34 GMT paulmilbank 2017-10-02T01:54:34Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363144#M7142 <P>We have .net logs from SeriLog and we would like to break it down into key value pairs at index time and extract some fields. <BR /> I have tried to follow the splunk guides and blog posts, but my indexed fields are not available. I can't post links yet unfortunately. <BR /> transforms.conf:</P> <PRE><CODE>[SerilogKVPairs] DELIMS = "{,}", ":" [LogLevel] REGEX = ^(?:[^ \n]* ){3}(?P&lt;LogLevel&gt;[^ ]+) </CODE></PRE> <P>props.conf:</P> <PRE><CODE># Extract fields from Serilog log inputs TRANSFORMS-KVPairs= SerilogKVPairs TRANSFORMS-LogLevel= LogLevel </CODE></PRE> <P>fields.conf:</P> <PRE><CODE>[SerilogKVPairs] INDEXED=true [LogLevel] INDEXED=true </CODE></PRE> <P>if I search with a pipe to kv SerilogKVPairs it all works, I have searchable values from my Serilog files. <BR /> But the fields are not available in the UI unless I pipe it through kv SerilogKVPairs. <BR /> We would like them to be available on all logs without having to pipe through the KV command. <BR /> Loglevel does not seem to be extracted either. </P> <P>Is there a log which shows what is going on here?<BR /> Thanks<BR /> Paul</P> Sun, 01 Oct 2017 22:33:35 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363144#M7142 paulmilbank 2017-10-01T22:33:35Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363145#M7143 <P>I have managed to get loglevel working as a field now. I am still unsure how to get the KV pairs to be extracted and available without needing to pipe search through KV. </P> Sun, 01 Oct 2017 23:05:02 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363145#M7143 paulmilbank 2017-10-01T23:05:02Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363146#M7144 <P>Have you try this?</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configureindex-timefieldextraction">http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configureindex-timefieldextraction</A></P> Mon, 02 Oct 2017 01:22:13 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363146#M7144 xisura 2017-10-02T01:22:13Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363147#M7145 <P>This is now resolved from the look of things. I changed TRANSFORMS to REPORTS for the KV Delimiter, Removed it from fields.conf and it seems to be working now.</P> Mon, 02 Oct 2017 01:29:39 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363147#M7145 paulmilbank 2017-10-02T01:29:39Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363148#M7146 <P>That is the guide I followed today and it has enabled me to sort this out now. Thanks very much. </P> Mon, 02 Oct 2017 01:31:11 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363148#M7146 paulmilbank 2017-10-02T01:31:11Z https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363149#M7147 <P>Final config looks like this if anyone ever needs it:<BR /> transforms.conf:</P> <PRE><CODE>[SerilogKVPairs] DELIMS = "{,}", ":" [LogLevel] REGEX = ^(?:[^ \n]* ){3}(?P&lt;loglevel&gt;[^ ]+) WRITE_META = true </CODE></PRE> <P>fields.conf:</P> <PRE><CODE>[LogLevel] INDEXED=true </CODE></PRE> <P>props.conf:</P> <PRE><CODE># Extract fields from Serilog log inputs REPORT-SerilogKVPairs= SerilogKVPairs TRANSFORMS-LogLevel= LogLevel </CODE></PRE> Mon, 02 Oct 2017 01:54:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/How-to-extract-fields-at-index-time/m-p/363149#M7147 paulmilbank 2017-10-02T01:54:34Z