https://community.splunk.com/t5/Getting-Data-In/Splunk-Flat-file-Field-Extraction-Transforms-conf/m-p/191893#M38239 <P>One problem with your REGEX above is that you state that there is a non-space character between your fields. Perhaps you want to use <CODE>\s</CODE> instead of <CODE>\S</CODE>? Also, if you want to use that regex, I suggest you change it a little and put it in a normal EXTRACT in props.conf only, like so;</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] EXTRACT-blah = ^(?P&lt;ID&gt;.{10})\s+(?&lt;FIRST_NAME&gt;.{15})\s+(?&lt;LAST_NAME&gt;.{12})\s+(?&lt;ADDRESS&gt;.{25})\s+(?&lt;PHONE&gt;.{10}) </CODE></PRE> <P>This works well for logs like;</P> <PRE><CODE>1234567890 gregor von klopp 1, high street 1-555-2345 345323 billy bob ben joe buckingham palace, london +44 123123 </CODE></PRE> <P>So as you can see, this approach requires you to have fixed length fields in your log file. </P> <HR /> <P>If your fields do NOT contain spaces, and you have a delimiter that is a single space, it could also be done (better) with a REPORT (which uses transforms.conf);</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] REPORT-blah = extract_blah </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extract_blah] DELIMS = " " FIELDS = ID, FIRST_NAME, LAST_NAME, ADDRESS, PHONE </CODE></PRE> <P>Alternatively, you can do the same thing by changing the regex and use an ordinary EXTRACT that does not require fixed length fields;</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] EXTRACT-bleh = ^(?P&lt;ID&gt;\S+)\s+(?&lt;FIRST_NAME&gt;\S+)\s+(?&lt;LAST_NAME&gt;\S+)\s+(?&lt;ADDRESS&gt;\S+)\s+(?&lt;PHONE&gt;\S+) </CODE></PRE> <P>These two approaches work with events like;</P> <PRE><CODE>1234123 gregor von_klopp 1,high_street 1-555-2345 23421 billy_bob_ben joe buckingham_palace,london +44123123 </CODE></PRE> <P>Makes sense? </P> <HR /> <P>UPDATE:</P> <P>If you have truly fixed fields, and the field content is truncated if it's above a certain field length, you'd better use the first approach and remove the delimiters from the regex, i.e.</P> <P>file looks like;</P> <PRE><CODE>12345678 HM Queen ElizabN/A Buckingham Palace, London+44123123 0987654321Arnold Schwarzenegg25, Fifth avenue, NY +1-555-123 </CODE></PRE> <P>props.conf</P> <PRE><CODE>EXTRACT-blah = ^(?P&lt;ID&gt;.{10})(?&lt;FIRST_NAME&gt;.{15})(?&lt;LAST_NAME&gt;.{12})(?&lt;ADDRESS&gt;.{25})(?&lt;PHONE&gt;.{10}) </CODE></PRE> Tue, 18 Mar 2014 09:57:54 GMT kristian_kolb 2014-03-18T09:57:54Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Flat-file-Field-Extraction-Transforms-conf/m-p/191892#M38238 <P>Hi,<BR /> I want to extract the fields using transforms.conf from a flat file. The file contains the following fields. There is no field delimiter. I have tried the below regex but not working. pls help me.</P> <P>Field Length: <BR /> ID -10<BR /> FIRST_NAME -15<BR /> LAST_NAME -12<BR /> ADDRESS - 25<BR /> PHONE - 10</P> <P>Example File1:</P> <P>ID FIRST_NAME LAST_NAME ADDRESS PHONE<BR /> 0000001 Name1 Lastname1 Address1 1234567890<BR /><BR /> 00000021 name2 Address2 123456<BR /> 001 name3 Address3 </P> <HR /> <PRE><CODE>REGEX = (?i)^(?P&lt;ID&gt;.{10})\S(?&lt;FIRST_NAME&gt;.{15})\S(?&lt;LAST_NAME&gt;.{12})\S(?&lt;ADDRESS&gt;.{25})\S(?&lt;PHONE&gt;.{10}) </CODE></PRE> <P>Thanks,<BR /> V.S</P> Mon, 28 Sep 2020 16:09:57 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Flat-file-Field-Extraction-Transforms-conf/m-p/191892#M38238 vasanthmss 2020-09-28T16:09:57Z https://community.splunk.com/t5/Getting-Data-In/Splunk-Flat-file-Field-Extraction-Transforms-conf/m-p/191893#M38239 <P>One problem with your REGEX above is that you state that there is a non-space character between your fields. Perhaps you want to use <CODE>\s</CODE> instead of <CODE>\S</CODE>? Also, if you want to use that regex, I suggest you change it a little and put it in a normal EXTRACT in props.conf only, like so;</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] EXTRACT-blah = ^(?P&lt;ID&gt;.{10})\s+(?&lt;FIRST_NAME&gt;.{15})\s+(?&lt;LAST_NAME&gt;.{12})\s+(?&lt;ADDRESS&gt;.{25})\s+(?&lt;PHONE&gt;.{10}) </CODE></PRE> <P>This works well for logs like;</P> <PRE><CODE>1234567890 gregor von klopp 1, high street 1-555-2345 345323 billy bob ben joe buckingham palace, london +44 123123 </CODE></PRE> <P>So as you can see, this approach requires you to have fixed length fields in your log file. </P> <HR /> <P>If your fields do NOT contain spaces, and you have a delimiter that is a single space, it could also be done (better) with a REPORT (which uses transforms.conf);</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] REPORT-blah = extract_blah </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extract_blah] DELIMS = " " FIELDS = ID, FIRST_NAME, LAST_NAME, ADDRESS, PHONE </CODE></PRE> <P>Alternatively, you can do the same thing by changing the regex and use an ordinary EXTRACT that does not require fixed length fields;</P> <P>props.conf</P> <PRE><CODE>[your_sourcetype] EXTRACT-bleh = ^(?P&lt;ID&gt;\S+)\s+(?&lt;FIRST_NAME&gt;\S+)\s+(?&lt;LAST_NAME&gt;\S+)\s+(?&lt;ADDRESS&gt;\S+)\s+(?&lt;PHONE&gt;\S+) </CODE></PRE> <P>These two approaches work with events like;</P> <PRE><CODE>1234123 gregor von_klopp 1,high_street 1-555-2345 23421 billy_bob_ben joe buckingham_palace,london +44123123 </CODE></PRE> <P>Makes sense? </P> <HR /> <P>UPDATE:</P> <P>If you have truly fixed fields, and the field content is truncated if it's above a certain field length, you'd better use the first approach and remove the delimiters from the regex, i.e.</P> <P>file looks like;</P> <PRE><CODE>12345678 HM Queen ElizabN/A Buckingham Palace, London+44123123 0987654321Arnold Schwarzenegg25, Fifth avenue, NY +1-555-123 </CODE></PRE> <P>props.conf</P> <PRE><CODE>EXTRACT-blah = ^(?P&lt;ID&gt;.{10})(?&lt;FIRST_NAME&gt;.{15})(?&lt;LAST_NAME&gt;.{12})(?&lt;ADDRESS&gt;.{25})(?&lt;PHONE&gt;.{10}) </CODE></PRE> Tue, 18 Mar 2014 09:57:54 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-Flat-file-Field-Extraction-Transforms-conf/m-p/191893#M38239 kristian_kolb 2014-03-18T09:57:54Z