Splunk Enterprise
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to extract field with variable field

michael_wong
Path Finder
‎03-30-2021 09:49 PM

In transforms.conf I can use DELIMS to extract the field by fixed format.

My question is, if one of the field is changeable, how can we resolve that?

Thanks,

Michael

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎04-02-2021 02:47 AM

Hi @michael_wong,

You can use host based transforms to achieve this. Define new transform setting  And call this transform using host stanza.

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

michael_wong
Path Finder
‎04-05-2021 11:37 PM

Hi @scelikok,

Thanks for your answer. Can you tell more about how to make priority?

I have made the change, but looks it didn't take effect. If two report defined in transform.conf, which one will take effect?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎04-12-2021 10:39 PM

Here is defined precedences over source, host, sourcetype https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf.

Can you share your configurations, so we can easier help you.

r. Ismo

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎03-30-2021 10:01 PM
Are those in some log file/feed or are they from different source/logs?
0 Karma
Reply

michael_wong
Path Finder
‎04-02-2021 02:00 AM

No, they are same source, but have a bit difference since configuration inconsistent

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...