Re: Search by unlabeled fields?

ehs · ‎01-11-2012

Hopefully this is simple enough (I haven't used splunk that much):

Given a log file that looks like this:

1/1/11  John  25  Notes
..

How can I apply "labels" to each value (e.g. the second column would be "NAME") so that I can then do searches like: NAME=John ?

Damien_Dallimor · ‎01-11-2012

You can perform a search time named field extraction with something like this in props.conf

[my_sourcetype]
EXTRACT-extract_my_fields = (?<datetime>\d+/\d+/\d+)\s+(?<name>\w+)\s+(?<col3>\d+)\s+(?<col4>\w+)

Drainy · ‎01-11-2012

Have a look at the interactive field extractor, it should be able to help you;
http://docs.splunk.com/Documentation/Splunk/latest/User/InteractiveFieldExtractionExample

If you have trouble with it you could create a regex to identify all the fields in the event and use the props and transforms configuration files. Have a go and if you have any troubles feel free to update your question with your attempts!

http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Transformsconf
http://docs.splunk.com/Documentation/Splunk/4.3/Admin/Propsconf

For a headstart a regex like;

\d+/\d+/\d+\s+(\w+)\s+(\d+)\s+(\w+)

Would capture JOhn, 25 and Notes into a different group each (group 1, 2 and 3 respectively), look at the "FORMAT = " part of the transforms config on how to apply a fieldname

Search by unlabeled fields?

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Join the Conversation

Search by unlabeled fields?

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?