topic How to extract fields with not displayed content ? in Splunk Search

How to extract fields with not displayed content ?

lllidan — Tue, 15 Jan 2019 07:25:45 GMT

if I have a short event log, I can easy extract the field that displayed in the "Extraction fields Wizard". ( use mouse to select the target field. and then follow the wizard )
but for a long event log, the event content may not displayed completely, in this situation, how can I select the field that in the hide content? or I can only use REX formula?

Re: How to extract fields with not displayed content ?

gcusello — Tue, 15 Jan 2019 07:44:12 GMT

Hi lllidan,
what do you mean with "the event content may not displayed completely"?
could you share an example of your log and what you want to extract?
If your event logs are truncated, see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf to understand how to avoid log truncating.
in few words, you have to put the option TRUNCATE = 0 in your props.conf stanza related to the sourcetype.

Bye.
Giuseppe

Re: How to extract fields with not displayed content ?

lllidan — Tue, 15 Jan 2019 08:26:14 GMT

Hi Giuseppe,

A good suggestion! I would like to try it, but which one is the correct path of "props.conf" file? I found many files use the same name in Splunk installation folder.

Re: How to extract fields with not displayed content ?

gcusello — Tue, 15 Jan 2019 08:44:19 GMT

Hi lllidan,
you can put your props.con in every "local" folder you have in your Splunk installation (never in "default" folders!) but it's better to insert it in the App where you're working.
If you didn't create an App or you are working in the "Search" App, I suggest, before start to create searches, to create an empty App and then create all the objects in this App.
The important thing is to identify sourcetype of your logs and then use this sourcetype in props.conf.

Bye.
Giuseppe

Re: How to extract fields with not displayed content ?

lllidan — Tue, 29 Sep 2020 22:46:00 GMT

Hi Giuseppe,
do you meant I should copy "$Splunk_Home\etc\system*default**props.conf" file to "$Splunk _Home\etc\system**local**props.conf*" ? and modify the parameter "truncate = 0".

Does this method will influence "Search" App?
And how to create an empty APP in Splunk ?
thanks for your patience and time as well. to be honest, I'm a layman on this field.
Kr.,
Lllidan

Re: How to extract fields with not displayed content ?

soumyasaha25 — Tue, 29 Sep 2020 22:46:02 GMT

to answer your questions:
1. do you meant I should copy "$Splunk_Home\etc\system*default*props.conf" file to "$Splunk
_Home\etc\system*local*props.conf" ? and modify the parameter "truncate = 0".
Ans: yes, you can do it
2. Does this method will influence "Search" App? - yes, the \etc\system\local directory takes precedence over \etc\system\default , check thispage for more information on splunk directories and their precedence
3. And how to create an empty APP in Splunk ? - look here

Re: How to extract fields with not displayed content ?

gcusello — Tue, 15 Jan 2019 10:34:08 GMT

Hi lllidan,
About the first question: yes, you never must modify default folders files, every time you have to copy props.con (or another file) from default to local and them modify it as you like.
If you don't do this, at first upgrade you lose all you modified.
You can see the same behavior when you modify something by web: there's a copy of your file with upgrades in local folders.
If you prefer, you can create an empty props.conf in local folder and add only the stanza name (e.g. [mysourcetype]) and the option you want (e.g. TRUNCATE = 0), because all the other options are from the default file, something like this:

[mysourcetype]
TRUNCATE = 0

About the second question: this configuration will influence all the ingestions of your sourcetype, it doesn't depends on the position of the props.conf file.

About the third question: to create a new App click on "Manage Apps" button and then "Create App" button.

I suggest to follow at least the Fundamentals I course (it's free) and some tutorial
https://docs.splunk.com/Documentation/Splunk/7.2.3/SearchTutorial/WelcometotheSearchTutorial
https://www.tutorialspoint.com/splunk/index.htm

Bye.
Giuseppe

P.S.: if you're satisfied of this answer, please accept and/or upvote it, thank you.

Re: How to extract fields with not displayed content ?

lllidan — Wed, 16 Jan 2019 03:53:52 GMT

Hi Giuseppe,

thanks for you kindly help, do follow that operation, but nothing change.
Actually, I need display more log contents in "file extractor" page to extract hided field.
I share two pictures to you to explain this situation, hope you can browse that.
https://pan.baidu.com/s/1g2rD1eSqtwgtziCTE_u3ow
https://pan.baidu.com/s/1LsKmOpYvGn8jEZvYqVTMkA

I really appreciate your help .