https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18053#M2577 <P>it extract some values under _serial field, even though it is not there in transforms.conf.</P> Tue, 31 May 2011 06:05:02 GMT tkadale 2011-05-31T06:05:02Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18048#M2572 <P>I have indexed memory log files for windows. I have done the required the configuration in props.conf and transforms.conf. but only few fields are extracted and few are not. How does it happen. Either it should extract all fields or none. <BR /> Can anybody help??<BR /> Thanks in Advance. </P> Fri, 27 May 2011 05:43:55 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18048#M2572 tkadale 2011-05-27T05:43:55Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18049#M2573 <P>Hi, </P> <P>my suggestion is to use REGEX tool to test your extract rule first ( if you are using "EXTRACT-" or "REPORT-" to extract field).</P> <P>or you can share your props.conf , transforms.conf and some sample events , we can take a look .</P> Fri, 27 May 2011 09:44:14 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18049#M2573 dmlee 2011-05-27T09:44:14Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18050#M2574 <P>Here is my props.conf stanza's<BR /> [source::...<EM>NT_Memory</EM>...]<BR /> sourcetype = win-memory<BR /> TRANSFORMS-null= setnull</P> Mon, 28 Sep 2020 09:37:18 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18050#M2574 tkadale 2020-09-28T09:37:18Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18051#M2575 <P>[win-memory]<BR /> REPORT-win-memory=argus_extractions_win_memory</P> Mon, 28 Sep 2020 09:37:21 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18051#M2575 tkadale 2020-09-28T09:37:21Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18052#M2576 <P>Then in transforms.conf I have mentioned the fields:<BR /> [argus_extractions_win_memory]<BR /> DELIMS=","<BR /> FIELDS = Here are around 25 fields.<BR /> Only first 10 fields are extracted.</P> Mon, 28 Sep 2020 09:37:24 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18052#M2576 tkadale 2020-09-28T09:37:24Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18053#M2577 <P>it extract some values under _serial field, even though it is not there in transforms.conf.</P> Tue, 31 May 2011 06:05:02 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18053#M2577 tkadale 2011-05-31T06:05:02Z https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18054#M2578 <P>Hi, did you ever find a resolution to this? I am experiencing the same phenomenom in splunk 5.0.1. Some fields are being extracted properly and sometimes they are not (the same fields I mean!) Very strange.</P> Wed, 27 Mar 2013 15:39:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-some-Fields-are-extracted-and-some-are-not/m-p/18054#M2578 srowe 2013-03-27T15:39:10Z