Re: Why some Fields are extracted and some are not

tkadale · ‎05-26-2011

I have indexed memory log files for windows. I have done the required the configuration in props.conf and transforms.conf. but only few fields are extracted and few are not. How does it happen. Either it should extract all fields or none.
Can anybody help??
Thanks in Advance.

dmlee · ‎05-27-2011

Hi,

my suggestion is to use REGEX tool to test your extract rule first ( if you are using "EXTRACT-" or "REPORT-" to extract field).

or you can share your props.conf , transforms.conf and some sample events , we can take a look .

srowe · ‎03-27-2013

Hi, did you ever find a resolution to this? I am experiencing the same phenomenom in splunk 5.0.1. Some fields are being extracted properly and sometimes they are not (the same fields I mean!) Very strange.

tkadale · ‎05-30-2011

it extract some values under _serial field, even though it is not there in transforms.conf.

tkadale · ‎05-27-2011

Then in transforms.conf I have mentioned the fields:
[argus_extractions_win_memory]
DELIMS=","
FIELDS = Here are around 25 fields.
Only first 10 fields are extracted.

tkadale · ‎05-27-2011

[win-memory]
REPORT-win-memory=argus_extractions_win_memory

tkadale · ‎05-27-2011

Here is my props.conf stanza's
[source::...NT_Memory...]
sourcetype = win-memory
TRANSFORMS-null= setnull

Why some Fields are extracted and some are not

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation