Solved: Custom dynamic field extraction

Simon · ‎12-14-2012

Dear fellow splunkers,

I've got some events where the automatic field extraction of Splunk doesn't work. The log format looks like:

[log@1588 value="RASLOG"][timestamp@1588 value="2012-12-14T08:41:12.718453"][msgid@1588 value="SEC-1193"][seqnum@1588 value="26555"][severity@1588 value="INFO"]

Is there a way to create dynamic field extractions in the form of:

[<key>@1588 value=<value>]

I'm aware that it's possible to create a field extraction for each of my fields by hand but I'm searching for a dynamic solution 🙂

Thanks
Simon

Ayn · ‎12-14-2012

Sure.

In transforms.conf, define your extraction:

[mycustomextraction]
REGEX = \[([^@]+)@1588 value="([^"]+)"
FORMAT = $1::$2

Then refer to your extraction in props.conf

[mysourcetype]
REPORT-customextraction = mycustomextraction

View solution in original post

Ayn · ‎12-14-2012

Sure.

In transforms.conf, define your extraction:

[mycustomextraction]
REGEX = \[([^@]+)@1588 value="([^"]+)"
FORMAT = $1::$2

Then refer to your extraction in props.conf

[mysourcetype]
REPORT-customextraction = mycustomextraction

Simon · ‎12-14-2012

Oh man, that's so ridiculous simple that I feel shamed now 😉 Thanks for that quick solution!

Custom dynamic field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Join the Conversation