https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313951#M93967 <P>it removed everything in brackets <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Tue, 17 Oct 2017 07:43:43 GMT kunalmao 2017-10-17T07:43:43Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313948#M93964 <P>Hi,</P> <P>I'm ingesting the data in JSON format. we have a field event.user, which is auto extracted. is there a way to extract the new field user from event.user filed at indexing time?</P> <P>for example:</P> <P>event.user :<BR /> kiran331@SPl, <BR /> splunk@ADDS</P> <P>I need to extract:</P> <P>user:<BR /> kiran331<BR /> splunk</P> Mon, 16 Oct 2017 17:31:39 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313948#M93964 kiran331 2017-10-16T17:31:39Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313949#M93965 <P>The following is great - <A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.1/Data/Configureindex-timefieldextraction">Create custom fields at index time</A></P> Mon, 16 Oct 2017 23:06:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313949#M93965 ddrillic 2017-10-16T23:06:40Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313950#M93966 <P>props.conf at your indexer<BR /> []<BR /> REGEX = <BR /> FORMAT = ::$1<BR /> WRITE_META = [true|false]<BR /> DEST_KEY = <BR /> DEFAULT_VALUE = <BR /> SOURCE_KEY = <BR /> REPEAT_MATCH = [true|false]<BR /> LOOKAHEAD = </P> <P>and then bind it to transforms.conf at your indexer</P> <P>[]<BR /> TRANSFORMS- = </P> <P>for more details you can refer</P> <P><A href="http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Configureindex-timefieldextraction" target="_blank">http://docs.splunk.com/Documentation/SplunkCloud/6.6.3/Data/Configureindex-timefieldextraction</A></P> Tue, 29 Sep 2020 16:19:11 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313950#M93966 kunalmao 2020-09-29T16:19:11Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313951#M93967 <P>it removed everything in brackets <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Tue, 17 Oct 2017 07:43:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313951#M93967 kunalmao 2017-10-17T07:43:43Z https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313952#M93968 <P>You should be able to edit your answer to update the text. When writing code, put four spaces before each line to convert the text into a code block - this prevents your text from being modified automatically.</P> Tue, 21 Nov 2017 05:25:49 GMT https://community.splunk.com/t5/Splunk-Search/How-to-extract-a-field-using-regex-at-indexing-time/m-p/313952#M93968 mtulett_splunk 2017-11-21T05:25:49Z