https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98204#M25305 <P>Are your field extractions <STRONG>search-time</STRONG> or <STRONG>index-time</STRONG>? They should be search-time. Can you post your <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> so we can see them?</P> <P>If your field extractions are index-time, they will not apply retroactively to data that has already been indexed. (One of the several disadvantages of index-time fields.) Search-time field extractions apply to all data, regardless of when it was indexed.</P> <P>If you aren't sure whether your field extractions are search-time or index-time, check out the links below. Also, we will be able to tell once we see the .conf files.<BR /> Useful links:<BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Indextimeversussearchtime">http://docs.splunk.com/Documentation/Splunk/latest/admin/Indextimeversussearchtime</A><BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles</A> </P> Fri, 13 Jul 2012 16:53:21 GMT lguinn2 2012-07-13T16:53:21Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98203#M25304 <P>I have systems sending data to splunk1 in the form: k1=v1 k2=v2<BR /> I have field extraction configured for the sourcetype,to extract those fields as name1 and name2. This works fine.<BR /> I have another system sending similar data to splunk2, which is configured to route it, based our "source" to splunk1.</P> <P>the data from this remote system, though it has the correct sourcetype, does not get my custom field extraction applied, instead I get the automatic fields extracted with thier short names, k1, k2.</P> <P>I tried adding my extraction rules to props/transforms on splunk2, in addition to splunk1, but to no avail. How can I fix this?</P> Fri, 13 Jul 2012 13:03:04 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98203#M25304 lrhazi 2012-07-13T13:03:04Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98204#M25305 <P>Are your field extractions <STRONG>search-time</STRONG> or <STRONG>index-time</STRONG>? They should be search-time. Can you post your <CODE>props.conf</CODE> and <CODE>transforms.conf</CODE> so we can see them?</P> <P>If your field extractions are index-time, they will not apply retroactively to data that has already been indexed. (One of the several disadvantages of index-time fields.) Search-time field extractions apply to all data, regardless of when it was indexed.</P> <P>If you aren't sure whether your field extractions are search-time or index-time, check out the links below. Also, we will be able to tell once we see the .conf files.<BR /> Useful links:<BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/admin/Indextimeversussearchtime">http://docs.splunk.com/Documentation/Splunk/latest/admin/Indextimeversussearchtime</A><BR /><BR /> <A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Createandmaintainsearch-timefieldextractionsthroughconfigurationfiles</A> </P> Fri, 13 Jul 2012 16:53:21 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98204#M25305 lguinn2 2012-07-13T16:53:21Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98205#M25306 <P>Thanks a alot.. My extractions are like what follows.. I guess index-time?</P> <P>props.conf:</P> <P>[bigip-syslog]<BR /> REPORT-gtm-dns-fields = gtm-dns-fields-1</P> <P>transforms.conf:<BR /> [gtm-dns-fields-1]<BR /> REGEX = v=([\d.]+):? c=([\d.]+)<BR /> FORMAT = vip::$1 client::$2</P> Fri, 13 Jul 2012 17:04:25 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98205#M25306 lrhazi 2012-07-13T17:04:25Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98206#M25307 <P>Thanks a lot for the links... which lead me to "Field aliasing", which is really all I needed, Splunk already parses and extract my fields correctly, just needed them renamed, and aliasing seems to work just fine too!</P> Fri, 13 Jul 2012 17:17:17 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98206#M25307 lrhazi 2012-07-13T17:17:17Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98207#M25308 <P>Glad it worked. This is search-time field extraction BTW.</P> Fri, 13 Jul 2012 18:32:35 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-and-Splunk-forwarding/m-p/98207#M25308 lguinn2 2012-07-13T18:32:35Z