Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract fields from a specific field instead of raw data using the conf files?

rsimmons
Splunk Employee
Splunk Employee
‎11-02-2015 01:19 PM

How to extract fields from a specific field instead of raw data using the conf files? Can it be done with EXTRACT-<class> = [<regex>|<regex> in <src_field>] in props.conf?

0 Karma
Reply

gcato
Contributor
‎11-02-2015 01:24 PM

Hi rsimmons,

Looks like this has already been answered here: https://answers.splunk.com/answers/47982/extracting-field-from-a-field-other-than-raw-in-props-conf....

You need to use transforms configuration instead.

Hope this helps.

0 Karma
Reply

rsimmons
Splunk Employee
Splunk Employee
‎11-02-2015 01:22 PM

The extract fields command only works on raw data with transforms.conf however not with index data. The extractions is done via kv_mode=auto for the fields.

Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top