https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266210#M51017 <P>I have log file that has combination of plain text and key value pairs separated by "|". How can i extract all the fields from log. below is the sample data I'm trying to index. </P> <P>01/16/2017 11:09:15|SNMPv2c|hostname|IP address|0|sonusNodeServerCongestionNotification|sysUpTime : 98677211|snmpTrapOID : sonusNodeServerCongestionNotification|sonusShelfIndex : 1|sonusSlotIndex : 5|sonusOverloadLevel : 1|sonusEventDescription : Shelf 1 slot 5 card congestion level 1.|sonusEventClass : 1|sonusEventLevel : 2|sonusSequenceId : 57031|sonusEventTime : 1484582955|sonusSequenceEpoch : 41|hostID</P> Tue, 31 Jan 2017 20:30:59 GMT jayakumar89 2017-01-31T20:30:59Z https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266210#M51017 <P>I have log file that has combination of plain text and key value pairs separated by "|". How can i extract all the fields from log. below is the sample data I'm trying to index. </P> <P>01/16/2017 11:09:15|SNMPv2c|hostname|IP address|0|sonusNodeServerCongestionNotification|sysUpTime : 98677211|snmpTrapOID : sonusNodeServerCongestionNotification|sonusShelfIndex : 1|sonusSlotIndex : 5|sonusOverloadLevel : 1|sonusEventDescription : Shelf 1 slot 5 card congestion level 1.|sonusEventClass : 1|sonusEventLevel : 2|sonusSequenceId : 57031|sonusEventTime : 1484582955|sonusSequenceEpoch : 41|hostID</P> Tue, 31 Jan 2017 20:30:59 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266210#M51017 jayakumar89 2017-01-31T20:30:59Z https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266211#M51018 <P>You can add following on your Search Head</P> <P>props.conf</P> <PRE><CODE>[YourSourceType] REPORT-getfields = extract_kv_pairs </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[extract_kv_pairs] DELIMS = "|", ":" </CODE></PRE> <P>Restart Splunk after making change.</P> Tue, 31 Jan 2017 22:02:32 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266211#M51018 somesoni2 2017-01-31T22:02:32Z https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266212#M51019 <P>@somesonie Thanks and it works. I would like to extract the first 5 fields and provide FIELD-NAME to them. how can i do that ?</P> Wed, 01 Feb 2017 15:50:22 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266212#M51019 jayakumar89 2017-02-01T15:50:22Z https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266213#M51020 <P>YOu need to setup field extraction in props.conf like this.</P> <P>props.conf</P> <PRE><CODE> [YourSourceType] REPORT-getfields = extract_kv_pairs EXTRACT-firstfive = ^(?&lt;fieldname1&gt;[^\|]+)\|(?&lt;fieldname2&gt;[^\|]+)\|(?&lt;fieldname3&gt;[^\|]+)\|(?&lt;fieldname4&gt;[^\|]+)\|(?&lt;fieldname5&gt;[^\|]+)\| </CODE></PRE> Wed, 01 Feb 2017 16:07:20 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266213#M51020 somesoni2 2017-02-01T16:07:20Z https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266214#M51021 <P>It helped. Thanks.</P> Wed, 01 Feb 2017 20:31:26 GMT https://community.splunk.com/t5/Getting-Data-In/Extract-fields-during-source-type-creation/m-p/266214#M51021 jayakumar89 2017-02-01T20:31:26Z