https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45383#M10764 <P>The problems is I cannot see the fields in the manager. I am just learning and reading and I just want the fields to always be available for stats and charts. Other than that, please show me a better way!</P> <P>Dave</P> Mon, 26 Nov 2012 21:39:31 GMT daveowens 2012-11-26T21:39:31Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45380#M10761 <P>I have a custom log file with entries like the one below, I want to pull 8 fields out at index time so I can graph and chart of them. </P> <P>wdSiteData.busy: false wdSiteData.needUpdate: false wdSiteData.requestType: -1 wdSiteData.state: UT wdSiteData.country: USA wdSiteData.district: SOME DISTRICT wdSiteData.availableUpdates: [SP_Update_4_2_1_107_from_96.jar, SP_Update_4_2_1_108.jar, SP_Update_4_2_1_95.jar, SP_Update_4_2_1_96.jar, SP_Update_4_3_0_77_from_4_2_1_108.jar, SP_Update_4_3_0_78.jar, SP_Update_4_3_0_84_from_78.jar, SP_Update_4_4_0_64_from_4_3_0_84.jar] wdSiteData.peerList: null wdSiteData.checksumJar: null wdSiteData.checksumInstall: null wdSiteData.partialDownloadBytes: 0 wdSiteData.filesize: 0 wdSiteData.siteVersion: 7.8.9.10 wdSiteData.versionFrom: null wdSiteData.versionTo: null wdSiteData.timestamp: null wdSiteData.downloadUrl: null wdSiteData.school: -1 wdSiteData.filename: null wdSiteData.updateAvailable: false wdSiteData.clientAddress: 10.10.10.10 wdSiteData.guid: {4445454b1e-805a-11de-8896-fdfdfdfd743c1a} wdSiteData.maximumPeerConnections: 0</P> <P>I have added in my transforms.conf /opt/splunk/etc/system/default/transforms.conf (regex and format are single lines)<BR /> I have tested the regex and it does find the fields I want correctly</P> <P>[WSM-CONNTECTIONS-SiteData]<BR /> REGEX = wdSiteData.(state|country|district|siteVersion|timestamp|school|clientAddress|maximumPeerConnections):<BR /> FORMAT = WSM-timestamp::"$5" district::"$3" school::"$6" state::"$1" country::"$2" version::"$4" ipaddress::"$7" peerconnections::"$8"<BR /> WRITE_META = [true]</P> <P>I have added in my props.conf /opt/splunk/etc/system/default/props.conf<BR /> [host::$IP_OF_HOST]<BR /> TRANSFORMS-WSM = WSM-CONNTECTIONS-SiteData</P> <P>I have added in my fields.conf /opt/splunk/etc/system/default/fields.conf</P> <P>[WSM-timestamp]<BR /> INDEXED = True</P> <P>[district]<BR /> INDEXED = True</P> <P>[school]<BR /> INDEXED = True</P> <P>[state]<BR /> INDEXED = True</P> <P>[country]<BR /> INDEXED = True</P> <P>[version]<BR /> INDEXED = True</P> <P>[ipaddress]<BR /> INDEXED = True</P> <P>[peerconnections]<BR /> INDEXED = True</P> Mon, 28 Sep 2020 12:52:03 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45380#M10761 daveowens 2020-09-28T12:52:03Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45381#M10762 <P>Why use index-time field extraction? Is there a specific reason for doing so? Index-time field extraction should only be done if there's a really good reason for it, and only if you really know what you're doing. It has a negative impact on performance and often causes increased complexity.</P> Mon, 26 Nov 2012 21:12:21 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45381#M10762 Ayn 2012-11-26T21:12:21Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45382#M10763 <P>By the way you don't actually say what the problem you're having is...?</P> Mon, 26 Nov 2012 21:13:27 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45382#M10763 Ayn 2012-11-26T21:13:27Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45383#M10764 <P>The problems is I cannot see the fields in the manager. I am just learning and reading and I just want the fields to always be available for stats and charts. Other than that, please show me a better way!</P> <P>Dave</P> Mon, 26 Nov 2012 21:39:31 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45383#M10764 daveowens 2012-11-26T21:39:31Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45384#M10765 <P>Generally, always use search-time field extractions. The docs have plenty of information on this that should get you going. Here's a good place to start: <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime</A></P> Mon, 26 Nov 2012 21:43:59 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45384#M10765 Ayn 2012-11-26T21:43:59Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45385#M10766 <P>As Ayn says, there's no need to make these fields part of your index, using search time extractions is the right way to go 99% of the time.</P> <P>Also, putting customisations in default/transforms.conf , default/props.conf and default/fields.conf is a bad idea, these files will get overwritten when you patch / upgrade</P> <P>You should make files in etc/system/local called props.conf and transforms.conf and put any customisations you've made in there. <BR /> You should also remove the customisations you made to default/fields.conf - you don't need them for search time extraction.</P> <P>This is what you need to do search time extractions for all the fields in your Site Data events.</P> <P>props.conf:</P> <PRE><CODE>[host::$IP_OF_HOST] REPORT-WSM = WSM_CONNTECTIONS_SiteData </CODE></PRE> <P>transforms.conf</P> <PRE><CODE>[WSM_CONNTECTIONS_SiteData] REGEX = wdSiteData\.([^:]+):\s+(.*?)(?=(?:\s+wdSiteData|$)) FORMAT = $1::$2 </CODE></PRE> <P>in the search bar run :</P> <P><CODE>| extract reload=t</CODE></P> <P>then </P> <P><CODE>wdSiteData</CODE></P> <P>You should see a bunch of interesting fields in the side bar</P> Mon, 26 Nov 2012 23:15:52 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45385#M10766 jonuwz 2012-11-26T23:15:52Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45386#M10767 <P>and if you're running 4.3+ you don't even need to do an extract reload=t, search time extractions should be reloaded each time Splunkd forks off a new process for a search.</P> Tue, 27 Nov 2012 00:25:40 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45386#M10767 Drainy 2012-11-27T00:25:40Z https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45387#M10768 <P>I have a close problem: I have to extract fields at index time to accelerate my searches (I have millions of events with 72 fields in each one) and a people from Splunk suggested to me to extract fields at index time to have a quicker search.<BR /> When you say " ...a negative impact on performance..." you are speaking about indexing performance or searching performance?<BR /> thank you.<BR /> Giuseppe</P> Thu, 19 Nov 2015 11:01:11 GMT https://community.splunk.com/t5/Splunk-Search/Index-Time-field-extraction/m-p/45387#M10768 gcusello 2015-11-19T11:01:11Z