https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87031#M18067 <P>Here is the easiest and most efficient way to do it. On the Splunk server, put the following in<BR /><BR /> $SPLUNK_HOME/etc/system/local/props.conf</P> <PRE><CODE>[source::nameoffiles] TRUNCATE = 100 </CODE></PRE> <P>TRUNCATE says "only index the first 100 characters of each event." The 100 is arbitrary, but if you can figure out a reasonable value for your situation, it will work well. And if you sometimes get a a little bit of the "garbage" in there, you can just ignore it.</P> <P>For the "nameoffiles", you must specify the input files that should be affected. You can use wildcards here, but be careful. And you do need to specify the full path name, etc. Take a look in the manual for more info about <A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/admin/Propsconf">props.conf</A>.<BR /> You could specify the same thing, but using the sourcetype of the data instead - if the data all has the same sourcetype:</P> <PRE><CODE>[yoursourcetypename] TRUNCATE = 100 </CODE></PRE> <P>There are other ways to do this, but they require more processing, etc.</P> Thu, 08 Mar 2012 02:25:26 GMT lguinn2 2012-03-08T02:25:26Z https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87030#M18066 <P>Is there a way to index only part of a log? These logs are custom log files from a windows server. There are thousands of files, each file belonging to an AD user, and the files are updated when a user logs onto/off of a domain machine. I don't want the entire log to be index because there is a lot of junk in there that I don't need or want to index. For example this is the structure:</P> <P>Date | Time | user | macaddress | IP | Function | computer name | AD Display Name | share directory | then a bunch of other garbage | etc.</P> <P>Basically I need everything but share directory, AD Display name, macaddress, and the other garbage. </P> <P>The windows server that the files are sitting on is separate from the splunk server.</P> Wed, 07 Mar 2012 23:02:01 GMT https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87030#M18066 gregwilliams 2012-03-07T23:02:01Z https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87031#M18067 <P>Here is the easiest and most efficient way to do it. On the Splunk server, put the following in<BR /><BR /> $SPLUNK_HOME/etc/system/local/props.conf</P> <PRE><CODE>[source::nameoffiles] TRUNCATE = 100 </CODE></PRE> <P>TRUNCATE says "only index the first 100 characters of each event." The 100 is arbitrary, but if you can figure out a reasonable value for your situation, it will work well. And if you sometimes get a a little bit of the "garbage" in there, you can just ignore it.</P> <P>For the "nameoffiles", you must specify the input files that should be affected. You can use wildcards here, but be careful. And you do need to specify the full path name, etc. Take a look in the manual for more info about <A href="http://docs.splunk.com/Documentation/Splunk/4.3.1/admin/Propsconf">props.conf</A>.<BR /> You could specify the same thing, but using the sourcetype of the data instead - if the data all has the same sourcetype:</P> <PRE><CODE>[yoursourcetypename] TRUNCATE = 100 </CODE></PRE> <P>There are other ways to do this, but they require more processing, etc.</P> Thu, 08 Mar 2012 02:25:26 GMT https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87031#M18067 lguinn2 2012-03-08T02:25:26Z https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87032#M18068 <P>Thanks! The fields are fixed length so this works perfectly for what I'm trying to do.</P> Thu, 08 Mar 2012 16:43:02 GMT https://community.splunk.com/t5/Getting-Data-In/index-only-part-of-a-log/m-p/87032#M18068 gregwilliams 2012-03-08T16:43:02Z