Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

configuring field extraction

Tridi123
New Member
‎09-28-2012 10:01 AM

Hi,
I want to enable automatic field extraction from header. My file looks like this format

emp|age|place

12345|28|india

how can i configure my prop.conf amd transform.conf file for this.I studied getting data manual but seems not woking for me. Can u assit me by giving me the code detail.As i am doing poc on it.

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎09-30-2012 01:45 PM

For a search time manual field extraction with a regex.



mysearch | rex "(?[^|])\|(?[^|])\|(?[^|]*)" | table emp age place

For an automatic field extraction,

see http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Extractfieldsfromfileheadersatindextime
on the search-head or indexer, define a search time field extraction for your sourcetype.
in props.conf



[mysourcetype]

TRANSFORMS-mysourcetypefields = mysourcetypefieldsextraction

in transforms.conf


[mysourcetypefieldsextraction]

FIELDS="emp", "age", "place"

DELIMS="|"

Reply

Simon
Contributor
‎09-28-2012 10:47 AM

Did you try KV_MODE = multi in props.conf (http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Propsconf) ?

0 Karma
Reply

Tridi123
New Member
‎09-29-2012 12:54 AM

To turn on automatic header-based field extraction for a source or source type, add CHECK_FOR_HEADER=TRUE then [deatils]--------------sourcetype CHECK_FOR_HEADER=TRUE
then should i give KV_MODE = multi

0 Karma
Reply

Tridi123
New Member
‎09-29-2012 12:14 AM

link is not opening

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...