https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56902#M13922 <P>Hello. I think your simple mistake.</P> <P>[we_accesslog_extsqu_fields]<BR /> DELIM<B>S</B> = " "<BR /> FIELDS = "Current-Time", "Time-to-Serve", "Client-IP", "Request-Desc/Status-Returned", "Bytes-Xferred", "Method", "URL", "MIME-Type"</P> Thu, 10 Mar 2011 12:39:22 GMT Hajime 2011-03-10T12:39:22Z https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56901#M13921 <P>Greetings fellow Splunkers (and Splunkettes),</P> <P>Yet another field extraction question I'm afraid.</P> <P>I have two log file types: <CODE>we_accesslog_extsqu</CODE> and <CODE>mms_export_e_wms_90</CODE>.</P> <P>My field extraction for the <CODE>mms</CODE> logs works, however the <CODE>we</CODE> logs do not, despite being identically configured. </P> <P>Here are my configs:</P> <P><STRONG>props.conf</STRONG><BR /> <CODE>[mms_export_e_wms_90]</CODE><BR /> <CODE>pulldown_type=true</CODE><BR /> <CODE>KV_MODE=none</CODE><BR /> <CODE>SHOULD_LINEMERGE=false</CODE><BR /> <CODE>TZ=Australia/Melbourne</CODE><BR /> <CODE>TRANSFORMS-comment=mms_export_e_wms_90_comment</CODE><BR /> <CODE>REPORT-header=mms_export_e_wms_90_fields</CODE><BR /></P> <P><CODE>[we_accesslog_extsqu]</CODE><BR /> <CODE>pulldown_type=true</CODE><BR /> <CODE>KV_MODE=none</CODE><BR /> <CODE>SHOULD_LINEMERGE=false</CODE><BR /> <CODE>TZ=Australia/Melbourne</CODE><BR /> <CODE>TRANSFORMS-toNull=we_accesslog_extsqu_header,we_accesslog_extsqu_footer</CODE><BR /> <CODE>REPORT-weFields=we_accesslog_extsqu_fields</CODE><BR /></P> <P><STRONG>transforms.conf</STRONG><BR /> <CODE>[mms_export_e_wms_90_comment]</CODE><BR /> <CODE>REGEX=^#</CODE><BR /> <CODE>DEST_KEY=queue</CODE><BR /> <CODE>FORMAT=nullQueue</CODE><BR /></P> <P><CODE>[mms_export_e_wms_90_fields]</CODE><BR /> <CODE>DELIMS = " "</CODE><BR /> <CODE>FIELDS = "c-ip", "date", "time", "c-dns", "cs-uri-stem", "c-starttime", "x-duration", "c-rate", "c-status", "c-playerid", "c-playerversion", "c-playerlanguage", "cs(User-Agent)", "cs(Referer)", "c-hostexe", "c-hostexever", "c-os", "c-osversion", "c-cpu", "filelength", "filesize", "avgbandwidth", "protocol", "transport", "audiocodec", "videocodec", "channelURL", "sc-bytes", "c-bytes", "s-pkts-sent", "c-pkts-received", "c-pkts-lost-client", "c-pkts-lost-net", "c-pkts-lost-cont-net", "c-resendreqs", "c-pkts-recovered-ECC", "c-pkts-recovered-resent", "c-buffercount", "c-totalbuffertime", "c-quality", "s-ip", "s-dns", "s-totalclients", "s-cpu-util", "cs_user_name", "s_session_id", "s_content_path", "cs_url", "cs_media_name", "c_max_bandwidth", "cs_media_role", "s_proxied", "SE-action", "SE-bytes", "Username"</CODE><BR /></P> <P><CODE>[we_accesslog_extsqu_header]</CODE><BR /> <CODE>REGEX = ^C</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE><BR /></P> <P><CODE>[we_accesslog_extsqu_footer]</CODE><BR /> <CODE>REGEX = ^#</CODE><BR /> <CODE>DEST_KEY = queue</CODE><BR /> <CODE>FORMAT = nullQueue</CODE><BR /></P> <P><CODE>[we_accesslog_extsqu_fields]</CODE><BR /> <CODE>DELIM = " "</CODE><BR /> <CODE>FIELDS = "Current-Time", "Time-to-Serve", "Client-IP", "Request-Desc/Status-Returned", "Bytes-Xferred", "Method", "URL", "MIME-Type"</CODE><BR /> </P><HR /> I'm happy to provide samples of the logs if they'll help?<P></P> <P>As far as I can tell, both configurations are (in principle) identical, yet I cannot get Splunk to recognise the <CODE>we_accesslogs_extsqu</CODE> fields... can anyone possibly help me shed some light on this please?</P> Thu, 10 Mar 2011 11:28:08 GMT https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56901#M13921 rturk 2011-03-10T11:28:08Z https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56902#M13922 <P>Hello. I think your simple mistake.</P> <P>[we_accesslog_extsqu_fields]<BR /> DELIM<B>S</B> = " "<BR /> FIELDS = "Current-Time", "Time-to-Serve", "Client-IP", "Request-Desc/Status-Returned", "Bytes-Xferred", "Method", "URL", "MIME-Type"</P> Thu, 10 Mar 2011 12:39:22 GMT https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56902#M13922 Hajime 2011-03-10T12:39:22Z https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56903#M13923 <P>GAHHHH!!! Legend!!! If it was a semi-colon I would have noticed... thanks heaps Hajime!</P> Thu, 10 Mar 2011 12:58:58 GMT https://community.splunk.com/t5/Splunk-Search/Manual-Field-Extraction-Configuration/m-p/56903#M13923 rturk 2011-03-10T12:58:58Z