https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18219#M2614 <P>Hi , you can refer to below link : <BR /> <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A></P> Wed, 10 Aug 2011 06:06:17 GMT dmlee 2011-08-10T06:06:17Z https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18215#M2610 <P>Hi,</P> <P>I am trying to extract some custom fields form a log file which is delimited by :: and i made the following set up in props.conf and transforms.conf :</P> <P>props.conf :</P> <P>[storngmail_failed]<BR /> TRANSFORMS-strongf=parse_strongmail_failed</P> <P>trasnforms.conf :</P> <P>[parse_strongmail_failed]<BR /> DELIMS = "::"<BR /> FIELDS = "Date", "Serial-Number", "mailing-ID", "Database-ID", "Message-ID", "User-ID", "DB-RN", "DB-NAME", "Msg-SN", "Email-Address", "Bounce-Reason", "VSG-Name", "Outbound-IP", "Reciever-IP", "Category"</P> <P>How can I configure props.conf or transforms.conf in order to do that an where do i should put these files?</P> <P>Thanks !!!</P> Mon, 28 Sep 2020 09:37:13 GMT https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18215#M2610 oarandes 2020-09-28T09:37:13Z https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18216#M2611 <P>hi,<BR /> I think you already make sure your sourcetype is "strongmail_failed"</P> <P>second, you can put those two conf files under $SPLUNK_HOME/etc/system/local if you haven't create your own App . if you had created your own App said "strongmail", you can put conf files under $SPLUNK_HOME/etc/apps/strongmail/local/</P> <P>and because it is "search time" configuration , so you should put them on search head </P> Mon, 28 Sep 2020 09:37:16 GMT https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18216#M2611 dmlee 2020-09-28T09:37:16Z https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18217#M2612 <P>HI thanks for the answer but, what do you mean by putting this config on search head ?</P> <P>Thanks Again !!!</P> Fri, 27 May 2011 09:53:09 GMT https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18217#M2612 oarandes 2011-05-27T09:53:09Z https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18218#M2613 <P>Just one more question :</P> <P>I can see in Manager--&gt;Field extractions the settings I configured above but the fields are not available when i use the search app.<BR /> how can make the new extract fields available ?</P> <P>Thnks,</P> Fri, 27 May 2011 10:00:25 GMT https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18218#M2613 oarandes 2011-05-27T10:00:25Z https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18219#M2614 <P>Hi , you can refer to below link : <BR /> <A href="http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F">http://www.splunk.com/wiki/Where_do_I_configure_my_Splunk_settings%3F</A></P> Wed, 10 Aug 2011 06:06:17 GMT https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18219#M2614 dmlee 2011-08-10T06:06:17Z https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18220#M2615 <P>sorry , I missed something<BR /> I saw you use "TRANSFORMS" to extract fields, it's index time field extraction , you need to "reindex" (chean and index again) your log files , I suggest you change to "REPORT" , it's search time field extraction .</P> <P>for more information about the difference between REPORT and TRANSFORMS , please refer to props.con.spec line 413.</P> Wed, 10 Aug 2011 06:09:40 GMT https://community.splunk.com/t5/Splunk-Search/Extract-filed-from-delimited-log-file/m-p/18220#M2615 dmlee 2011-08-10T06:09:40Z