https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553441#M91758 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/142528">@puneetkharband1</a>&nbsp;</P><P>expand your event and select event actions &gt; extract fields</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aasabatini_0-1622181336243.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14350i6C9301C41D5405EE/image-size/medium?v=v2&amp;px=400" role="button" title="aasabatini_0-1622181336243.png" alt="aasabatini_0-1622181336243.png" /></span></P><P>it's will open another page like this, please select delimiters and click next</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aasabatini_1-1622181445975.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14351i0F7AA61D0E7ADB94/image-size/medium?v=v2&amp;px=400" role="button" title="aasabatini_1-1622181445975.png" alt="aasabatini_1-1622181445975.png" /></span></P><P>here select the delimiters other and insert ":" and&nbsp; modify your name fields</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aasabatini_2-1622181599585.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14352iDDEF21132C01724D/image-size/medium?v=v2&amp;px=400" role="button" title="aasabatini_2-1622181599585.png" alt="aasabatini_2-1622181599585.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 May 2021 06:00:56 GMT aasabatini 2021-05-28T06:00:56Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553430#M91757 <P>I have 2 types of logs from one source where I need to map fields vs values ...I dont want to create complex regex as they are from structured data so how do I create fields and values from events&nbsp;<BR /><BR />May 27 07:51:49 TESTHOSTTEST TESTDEVTEST_11.2.0.125: User '' (root) : FAILED: Sign On, ID: 123220127, InstID: 7653, IPAddress: 111.222.213.238, FolderID: 0, Username: root, AgentBrand: TEST DEV SSH, AgentVersion: 11.2.0.0, DEVSize: 0, Error: 2976, Message: Failed to sign on: This IP address has been locked out.<BR /><BR />May 27 07:51:34 TESTHOSTTEST TESTDEVTEST_11.2.0.125: User 'BLA BLA DI' (ei4o2f18pcsuo5tp) : Download File, ID: 123220102, InstID: 7653, IPAddress: 333.222.231.94, FileID: 770879833, FileName: 16680_Signup Detail_20210527 01-49-18-86.csv, FolderID: 472070079, FolderPath: /Home/test/TestWorks/Enhanced Affiliate Signup Reports, Username: TEST, AgentBrand: Chrome Browser, AgentVersion: 90.0.4430.212, DEVSize: 739698, Parm2: 0, Error: 0</P> Fri, 28 May 2021 03:37:49 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553430#M91757 puneetkharband1 2021-05-28T03:37:49Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553441#M91758 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/142528">@puneetkharband1</a>&nbsp;</P><P>expand your event and select event actions &gt; extract fields</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aasabatini_0-1622181336243.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14350i6C9301C41D5405EE/image-size/medium?v=v2&amp;px=400" role="button" title="aasabatini_0-1622181336243.png" alt="aasabatini_0-1622181336243.png" /></span></P><P>it's will open another page like this, please select delimiters and click next</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aasabatini_1-1622181445975.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14351i0F7AA61D0E7ADB94/image-size/medium?v=v2&amp;px=400" role="button" title="aasabatini_1-1622181445975.png" alt="aasabatini_1-1622181445975.png" /></span></P><P>here select the delimiters other and insert ":" and&nbsp; modify your name fields</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="aasabatini_2-1622181599585.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14352iDDEF21132C01724D/image-size/medium?v=v2&amp;px=400" role="button" title="aasabatini_2-1622181599585.png" alt="aasabatini_2-1622181599585.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 28 May 2021 06:00:56 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553441#M91758 aasabatini 2021-05-28T06:00:56Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553502#M91770 <P>this doesnt work I tried delimiter option.</P> Fri, 28 May 2021 12:55:23 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553502#M91770 puneetkharband1 2021-05-28T12:55:23Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553506#M91771 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/142528">@puneetkharband1</a>&nbsp;</P><P>are your sure that logs are structured data?, like as you shared looks like not structured, anyway&nbsp; if are not structured you need to use mandatory the regular expression.</P><P>&nbsp;</P> Fri, 28 May 2021 13:08:10 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553506#M91771 aasabatini 2021-05-28T13:08:10Z https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553533#M91774 <P>if you see there is one pattern and these logs are generated from a tool(Xfer) and only 2 types of logs are there which I posted.</P> Fri, 28 May 2021 14:31:05 GMT https://community.splunk.com/t5/Getting-Data-In/How-do-I-create-extractions-where-it-can-pick-field-names-from/m-p/553533#M91774 puneetkharband1 2021-05-28T14:31:05Z