Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

manual field extraction from header

giovere
Path Finder
‎10-24-2011 07:36 AM

I'm having log file which looks like this:

name___________;ip_____________;soemeid_
Bob            ;127.0.0.1        ;6
Alice          ;127.0.0.2         ;3
Bill          ;127.0.0.3        ;4

Fields can be extracted from the header, but when I'm adding CHECK_FOR_HEADER = TRUE in the props.conf all I get for field/value is: name________/name________ the same for all fields. Obviously I'm missing something here, but after digging into the documentation for several hours could not find right text, maybe you can point out what I'm looking for in the Splunk terms? Also aliasing fields would be nice to have like field "name__________" to be referenced from the search app as "name". Thanks in advance ...

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-24-2011 04:06 PM

When you set CHECK_FOR_HEADER=true Splunk will end up renaming your sourcetype/s as a result of the automatic header-based field extraction process. I would suggest using CHECK_FOR_HEADER=false and then use FIELDS and DELIMS in props.conf and transforms.conf for all field extractions configurations. This way you also don't have to do any field aliasing. This blog post may also provide some help:
http://blogs.splunk.com/2008/02/22/delimiter-base-kv-extraction-advanced/

- please upvote if you find this answer useful

View solution in original post

Reply
Solved! Jump to solution
Solution

_d_
Splunk Employee
Splunk Employee
‎10-24-2011 04:06 PM

When you set CHECK_FOR_HEADER=true Splunk will end up renaming your sourcetype/s as a result of the automatic header-based field extraction process. I would suggest using CHECK_FOR_HEADER=false and then use FIELDS and DELIMS in props.conf and transforms.conf for all field extractions configurations. This way you also don't have to do any field aliasing. This blog post may also provide some help:
http://blogs.splunk.com/2008/02/22/delimiter-base-kv-extraction-advanced/

- please upvote if you find this answer useful

Reply
Solved! Jump to solution

rgcurry
Contributor
‎10-31-2013 01:44 PM

My data is formatted differently, like this:

LOCATION RUN DATE FIELD-ONE
LOC-ONE 03/05/13 157052
LOCATION RUN DATE FIELD-ONE
LOC-TWO 03/05/13 157052
LOCATION RUN DATE FIELD-ONE
LOC-THRE 03/05/13 157052
LOCATION RUN DATE FIELD-TWO
LOC-ONE 03/06/13 35868
LOCATION RUN DATE FIELD-THREE
LOC-FOUR 07/15/13 0
LOCATION RUN DATE FIELD-FOUR
LOC-FIVE 07/15/13 6385

Data is from three logs same sourcetype. The third header is variable. The doc for the FIELDS statement implies I can't use RegEx to capture the field name (“\w+”). That would make a nice feature, eh? (8->)

Suggestions?

0 Karma
Reply
Solved! Jump to solution

giovere
Path Finder
‎10-25-2011 03:03 AM

Thanks, it works here is one more example: http://splunk-base.splunk.com/answers/1902/iis-and-exchange-log-header-extraction

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...