Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

how to extract values using sourcetype?

sfatnass
Contributor
‎10-13-2016 06:23 AM

hi,
i have some logs contain values separate by #.

exemple :

charlie#2016-10-11#125.44.23.10#Mozzila#resolvedTest#1#12

my objectif is to add new fields :
name = charlie
date = 2016-10-11
ip = 125.44.23.10
ua = Mozzila
status = resolvedTest
acted = 1
numact = 12

the separator is #

but how can i edit the configuration

0 Karma
Reply

hunters_splunk
Splunk Employee
Splunk Employee
‎10-13-2016 07:40 AM

Hi sfatnass,

Index your logs and create a custom sourcetype, for example, named mylogs. Then create custom search-time field extraction:

  1. Edit $SPLUNKHOME/etc/apps/search/local/props.conf:

    [mylogs]
    REPORT-mylogs = mylogs

  2. Edit $SPLUNKHOME/etc/apps/search/local/transforms.conf:

    [mylogs]
    DELIMS = "#"
    FIELDS = name date ip ua status acted numact

  3. Reload your configuration files through http://your_splunk_web_url:8000/en-US/debug/refresh , and your logs will have the correct fields extracted.

Hope it helps. Thanks!
Hunter

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎10-13-2016 06:57 AM

Try this:

props.conf
    [ mysourcetype ]
    SHOULD_LINEMERGE=false
    NO_BINARY_CHECK=true
    TIME_FORMAT=%Y-%m-%d
    TIME_PREFIX=\w+\#
    MAX_TIMESTAMP_LOOKAHEAD=10
    REPORT-mylogs = mylogs_fields

transforms.conf
    [mylogs_fields]
    DELIMS = "#"
    FIELDS = "name","date","ip","ua","status","acted","numact"

Bye.
Giuseppe

0 Karma
Reply

sundareshr
Legend
‎10-13-2016 06:44 AM

You could use the Interactive Field Extractor to extract these fields. Select the delim option and use # as the delimiter. You will then have an opportunity to name all the fields that are extracted.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Painting a Clearer Picture: Creating Cross-Domain Visibility with AI Canvas

    Thursday, June 25, 2026  |  11AM PDT / 2PM EDT  Duration: 1 Hour (Includes live Q&A) Register to ...

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...