if I have a short event log, I can easy extract the field that displayed in the "Extraction fields Wizard". ( use mouse to select the target field. and then follow the wizard )
but for a long event log, the event content may not displayed completely, in this situation, how can I select the field that in the hide content? or I can only use REX formula?
what do you mean with "the event content may not displayed completely"?
could you share an example of your log and what you want to extract?
If your event logs are truncated, see at https://docs.splunk.com/Documentation/Splunk/7.2.3/Admin/Propsconf to understand how to avoid log truncating.
in few words, you have to put the option
TRUNCATE = 0 in your props.conf stanza related to the sourcetype.
you can put your props.con in every "local" folder you have in your Splunk installation (never in "default" folders!) but it's better to insert it in the App where you're working.
If you didn't create an App or you are working in the "Search" App, I suggest, before start to create searches, to create an empty App and then create all the objects in this App.
The important thing is to identify sourcetype of your logs and then use this sourcetype in props.conf.
do you meant I should copy "$Splunk_Home\etc\system*default**props.conf" file to "$Splunk _Home\etc\system**local**props.conf*" ? and modify the parameter "truncate = 0".
Does this method will influence "Search" App?
And how to create an empty APP in Splunk ?
thanks for your patience and time as well. to be honest, I'm a layman on this field.
About the first question: yes, you never must modify default folders files, every time you have to copy props.con (or another file) from default to local and them modify it as you like.
If you don't do this, at first upgrade you lose all you modified.
You can see the same behavior when you modify something by web: there's a copy of your file with upgrades in local folders.
If you prefer, you can create an empty props.conf in local folder and add only the stanza name (e.g.
[mysourcetype]) and the option you want (e.g.
TRUNCATE = 0), because all the other options are from the default file, something like this:
[mysourcetype] TRUNCATE = 0
About the second question: this configuration will influence all the ingestions of your sourcetype, it doesn't depends on the position of the props.conf file.
About the third question: to create a new App click on "Manage Apps" button and then "Create App" button.
I suggest to follow at least the Fundamentals I course (it's free) and some tutorial
P.S.: if you're satisfied of this answer, please accept and/or upvote it, thank you.
thanks for you kindly help, do follow that operation, but nothing change.
Actually, I need display more log contents in "file extractor" page to extract hided field.
I share two pictures to you to explain this situation, hope you can browse that.
I really appreciate your help .
to answer your questions:
1. do you meant I should copy "$Splunk_Home\etc\system*default*props.conf" file to "$Splunk
_Home\etc\system*local*props.conf" ? and modify the parameter "truncate = 0".
Ans: yes, you can do it
2. Does this method will influence "Search" App? - yes, the \etc\system\local directory takes precedence over \etc\system\default , check thispage for more information on splunk directories and their precedence
3. And how to create an empty APP in Splunk ? - look here