https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253551#M48700 <P>Hi sfatnass, </P> <P>Index your logs and create a custom sourcetype, for example, named mylogs. Then create custom search-time field extraction: </P> <OL> <LI><P>Edit $SPLUNKHOME/etc/apps/search/local/props.conf: </P> <P>[mylogs]<BR /> REPORT-mylogs = mylogs</P></LI> <LI><P>Edit $SPLUNKHOME/etc/apps/search/local/transforms.conf: </P> <P>[mylogs]<BR /> DELIMS = "#"<BR /> FIELDS = name date ip ua status acted numact</P></LI> <LI><P>Reload your configuration files through <A href="http://your_splunk_web_url:8000/en-US/debug/refresh">http://your_splunk_web_url:8000/en-US/debug/refresh</A> , and your logs will have the correct fields extracted. </P></LI> </OL> <P>Hope it helps. Thanks!<BR /> Hunter</P> Thu, 13 Oct 2016 14:40:59 GMT hunters_splunk 2016-10-13T14:40:59Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253548#M48697 <P>hi,<BR /> i have some logs contain values separate by #.</P> <P>exemple : </P> <P>charlie#2016-10-11#125.44.23.10#Mozzila#resolvedTest#1#12</P> <P>my objectif is to add new fields :<BR /> name = charlie<BR /> date = 2016-10-11<BR /> ip = 125.44.23.10<BR /> ua = Mozzila<BR /> status = resolvedTest<BR /> acted = 1<BR /> numact = 12</P> <P>the separator is #</P> <P>but how can i edit the configuration</P> Thu, 13 Oct 2016 13:23:02 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253548#M48697 sfatnass 2016-10-13T13:23:02Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253549#M48698 <P>You could use the <A href="http://docs.splunk.com/Documentation/Splunk/6.4.3/Knowledge/ExtractfieldsinteractivelywithIFX">Interactive Field Extractor</A> to extract these fields. Select the delim option and use <CODE>#</CODE> as the delimiter. You will then have an opportunity to name all the fields that are extracted.</P> Thu, 13 Oct 2016 13:44:03 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253549#M48698 sundareshr 2016-10-13T13:44:03Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253550#M48699 <P>Try this:</P> <PRE><CODE>props.conf [ mysourcetype ] SHOULD_LINEMERGE=false NO_BINARY_CHECK=true TIME_FORMAT=%Y-%m-%d TIME_PREFIX=\w+\# MAX_TIMESTAMP_LOOKAHEAD=10 REPORT-mylogs = mylogs_fields transforms.conf [mylogs_fields] DELIMS = "#" FIELDS = "name","date","ip","ua","status","acted","numact" </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Thu, 13 Oct 2016 13:57:42 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253550#M48699 gcusello 2016-10-13T13:57:42Z https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253551#M48700 <P>Hi sfatnass, </P> <P>Index your logs and create a custom sourcetype, for example, named mylogs. Then create custom search-time field extraction: </P> <OL> <LI><P>Edit $SPLUNKHOME/etc/apps/search/local/props.conf: </P> <P>[mylogs]<BR /> REPORT-mylogs = mylogs</P></LI> <LI><P>Edit $SPLUNKHOME/etc/apps/search/local/transforms.conf: </P> <P>[mylogs]<BR /> DELIMS = "#"<BR /> FIELDS = name date ip ua status acted numact</P></LI> <LI><P>Reload your configuration files through <A href="http://your_splunk_web_url:8000/en-US/debug/refresh">http://your_splunk_web_url:8000/en-US/debug/refresh</A> , and your logs will have the correct fields extracted. </P></LI> </OL> <P>Hope it helps. Thanks!<BR /> Hunter</P> Thu, 13 Oct 2016 14:40:59 GMT https://community.splunk.com/t5/Getting-Data-In/how-to-extract-values-using-sourcetype/m-p/253551#M48700 hunters_splunk 2016-10-13T14:40:59Z