Version 5.0.3

gajananh999 · ‎06-10-2013

Dear All,

Here is my one event

S.R. Cable TV Pvt Ltd ,Indore,Indore,Indore,Indore,01/04/2010,30/04/2010,Broadband,262,217,232, 11384,8266,8699,280,341,Direct Subs,20,172

i am able to extract all the fields accept bold letter fields in data.

i want to extract indore which is 5th field in line. but when i want to extract it is taking 2nd field as extracted field.

lly it is happening for all fields which bold in event.

Please can anyone help me on this.

Thanks
Gajanan

kristian_kolb · ‎06-10-2013

How do you try to extract them?
What does your config files (props/transforms) look like?

Is that a CSV formatted file? In that case, you might have a look at DELIMS;

props.conf

[your_sourcetype]
REPORT-blah = extract_stuff

transforms.con

[extract_stuff]
DELIMS = ","
FIELDS = field1, field2, field3 ...

Hope this helps,

K

View solution in original post

kristian_kolb · ‎06-10-2013

How do you try to extract them?
What does your config files (props/transforms) look like?

Is that a CSV formatted file? In that case, you might have a look at DELIMS;

props.conf

[your_sourcetype]
REPORT-blah = extract_stuff

transforms.con

[extract_stuff]
DELIMS = ","
FIELDS = field1, field2, field3 ...

Hope this helps,

K

gajananh999 · ‎06-10-2013

Thank you so much kristian,it works for me.

gajananh999 · ‎06-10-2013

Hey Kristian,
Try to extract field using field extractor

my props.conf looks like

Version 5.0.3

[splunkd]
EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+-]\d+ )?(?P[^ ]*)\s+(?P[^ ]+) - (?P.+)

[splunk_web_service]
EXTRACT-useragent = userAgent=(?P[^ (]+)

yes that file is in csv format

let me try your solution

Thanks
gajanan

not able to extract fileds

Version 5.0.3

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!