I am new to splunk. Could anyone please tell me how should I proceed in editing the .conf files in local directory? Are these changes critical to the parsing of the log files before they are indexed for search? I know that the inputs.conf and sourcetypes.conf has to be changed but I am not getting the required fields as per the log files, even if I do not make any changes at all.
The best place to start is here.
For the basics of adding data to Splunk this will make changes to the config files for you. For more advanced data there are examples and details in our online documentation as well.
Usually parsing rules and field extraction (index time and search-time) are in props.conf organized per sourcetype
For index time, add it on the indexer, for search-time, on the search-head (if any).
I have read this in a good many places that rather than playing with config files beforehand, it is always better to do it after providing the input and parsing , i.e. - dynamic searching. This may result in addition of fields when we use regex on the log event entries in the index obtained from Splunk.
But making changes with regex for a particular field, then obtaining one of use and then saving it is also not an easy task, especially if you are not good at regex.
I would recommend trying the field extractor. That might help you get some of the extractions that aren't discovered automatically.