Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: field extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
field extractions
Hi my input file looks like
Src,Eqid,Version,Datetime,Lat,Lon,Magnitude,Depth,NST,Region
nn,00390493,9,"Monday, October 8, 2012 12:24:31 UTC",39.7152,-119.4563,1.0,10.90, 5,"Nevada"
us,c000d3t1,5,"Monday, October 8, 2012 12:20:52 UTC",-4.4803,129.2248,4.8,34.90,60,"Banda Sea"
us,c000d3sw,7,"Monday, October 8, 2012 12:18:47 UTC",44.1363,17.1806,4.4,11.60,47,"Bosnia and Herzegovina"
I am configuring my transforms.conf as
[access-extraction]
DELIMS=","
FIELDS="Src", "Eqid", "Version", "Datetime", "Lat", "Lon", "Magnitude", "Depth", "NST", "Region"
then runninng query after saving it in index quak like
index-"quak"| extract access-extraction
but the filed is not getting extracted error coming as
Error in 'extract' command: Failed to parse the key-value pair configuration for transform 'access-extraction'.
[EventsViewer module] Error in 'extract' command: Failed to parse the key-value pair configuration for transform 'access-extraction'.
can anyone help me to resolve the issue??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure what exactly is happening here, but I have some things to try. First, I see that you invoked the extraction explicitly in your search. Do you get the same error message if you invoke the extraction via props.conf? To test, put the following stanza in a props.conf file (which must be in the same directory as your transforms.conf):
[yoursourcetypehere]
REPORT-r1=access-extraction
SHOULD_LINEMERGE = false
TIME_FORMAT = %a, %b %d, %Y %H:%M:%S %Z
I added a couple of settings here (SHOULD_LINEMERGE and TIME_FORMAT) that may not be needed. However, SHOULD_LINEMERGE=false will speed up the parsing.
I am also unsure whether Splunk is going to respect the quoted strings in the input data. This would make the Datetime into three fields: day of week, month+day, year+time+tz. Ugly, but still workable. The quotation marks might also end up as part of the fields... So, you could also try this for your transforms.conf, just to test
[access-extraction]
DELIMS=","
FIELDS=Src, Eqid, Version, Datetime1, Datetime2, Datetime3, Lat, Lon, Magnitude, Depth, NST, Region
(Note that quotes around the field names are not required.)
BTW, I hope that all your data in is UTC. Otherwise, check carefully as I am not sure that the %Z specifier for timezone will always work properly. And there are some ambiguities in the 3-character timezone specifiers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So what error message do you get when using props.conf - is it the same as the message that you get from the extract in the search panel?
Also, after you created the entry in transforms.conf, did you restart Splunk?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i have tried this but not working unfortunately
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
actually after configuring transform.conf i can invoke extract from serch panel
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
