https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105198#M27278 <P>I have a set of log data in Splunk Search app contained in source=sampledata,sourcetype=sample.<BR /> field1,field2,field3 are new fields that i added through the recievers REST endpoint</P> <P>3/30/12<BR /> 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry</P> <P>host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 </P> <P>3/30/12<BR /> 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry</P> <P>host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 </P> <P>3/30/12<BR /> 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry</P> <P>host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 </P> <P>Lets say if i want to extract the fields: field1, field2 &amp; field3 at search time, so i configured the say i am going to create new field exractions in $Splunk_HOME/users/admin/search/local/props.conf (props config file for search app) </P> <P>What is the regex expression to extract each of these fields at search time(extracting the key value pairs during search time)? I thought it would be something like [\^$.|?*+()]. </P> Fri, 30 Mar 2012 01:09:57 GMT misteryuku 2012-03-30T01:09:57Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105198#M27278 <P>I have a set of log data in Splunk Search app contained in source=sampledata,sourcetype=sample.<BR /> field1,field2,field3 are new fields that i added through the recievers REST endpoint</P> <P>3/30/12<BR /> 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry</P> <P>host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 </P> <P>3/30/12<BR /> 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry</P> <P>host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 </P> <P>3/30/12<BR /> 8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry</P> <P>host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1 </P> <P>Lets say if i want to extract the fields: field1, field2 &amp; field3 at search time, so i configured the say i am going to create new field exractions in $Splunk_HOME/users/admin/search/local/props.conf (props config file for search app) </P> <P>What is the regex expression to extract each of these fields at search time(extracting the key value pairs during search time)? I thought it would be something like [\^$.|?*+()]. </P> Fri, 30 Mar 2012 01:09:57 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105198#M27278 misteryuku 2012-03-30T01:09:57Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105199#M27279 <P>By default, Splunk will automatically extract the fields based on key=value format. the left of equal sign as field name and the right as its value.</P> Fri, 30 Mar 2012 01:41:08 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105199#M27279 hjwang 2012-03-30T01:41:08Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105200#M27280 <P>Yeah. When i want to retrieve the results from the search as an XML through search/jobs/{search_id}/results endpoint the i want the field xml tags to have the new field names i have created. <BR /> For example i want to see something like this when i retrieve.<BR /> <FIELD k="field1"><BR /> <VALUE><TEXT>Happy</TEXT></VALUE><BR /> </FIELD></P> Fri, 30 Mar 2012 01:53:45 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105200#M27280 misteryuku 2012-03-30T01:53:45Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105201#M27281 <P>You need to specify the fields you want to be returned in your search request. Do that, and the fields you want will show up.</P> Fri, 30 Mar 2012 05:58:08 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105201#M27281 Ayn 2012-03-30T05:58:08Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105202#M27282 <P>As in the search commands?</P> Fri, 30 Mar 2012 06:04:54 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105202#M27282 misteryuku 2012-03-30T06:04:54Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105203#M27283 <P>As a parameter in the API call. Specifically, the <CODE>rf</CODE> parameter. More info here: <A href="http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearches#Tips_on_creating_searches">http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearches#Tips_on_creating_searches</A></P> Fri, 30 Mar 2012 06:11:59 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105203#M27283 Ayn 2012-03-30T06:11:59Z https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105204#M27284 <P>How to disable - extracting the fields based on key=value format in splunk, this is messing up my fields information, as i have defined columns in transform.conf file. </P> Sat, 24 May 2014 00:33:59 GMT https://community.splunk.com/t5/Splunk-Search/Creating-new-Field-Extractions/m-p/105204#M27284 deepakmurthy 2014-05-24T00:33:59Z