Splunk Search

manual field extraction from header

Path Finder

I'm having log file which looks like this:

name___________;ip_____________;soemeid_
Bob            ;127.0.0.1        ;6
Alice          ;127.0.0.2         ;3
Bill          ;127.0.0.3        ;4

Fields can be extracted from the header, but when I'm adding CHECKFORHEADER = TRUE in the props.conf all I get for field/value is: name________/name________ the same for all fields. Obviously I'm missing something here, but after digging into the documentation for several hours could not find right text, maybe you can point out what I'm looking for in the Splunk terms? Also aliasing fields would be nice to have like field "name__________" to be referenced from the search app as "name". Thanks in advance ...

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

When you set CHECK_FOR_HEADER=true Splunk will end up renaming your sourcetype/s as a result of the automatic header-based field extraction process. I would suggest using CHECK_FOR_HEADER=false and then use FIELDS and DELIMS in props.conf and transforms.conf for all field extractions configurations. This way you also don't have to do any field aliasing. This blog post may also provide some help:
http://blogs.splunk.com/2008/02/22/delimiter-base-kv-extraction-advanced/

- please upvote if you find this answer useful

View solution in original post

Splunk Employee
Splunk Employee

When you set CHECK_FOR_HEADER=true Splunk will end up renaming your sourcetype/s as a result of the automatic header-based field extraction process. I would suggest using CHECK_FOR_HEADER=false and then use FIELDS and DELIMS in props.conf and transforms.conf for all field extractions configurations. This way you also don't have to do any field aliasing. This blog post may also provide some help:
http://blogs.splunk.com/2008/02/22/delimiter-base-kv-extraction-advanced/

- please upvote if you find this answer useful

View solution in original post

Contributor

My data is formatted differently, like this:

LOCATION RUN DATE FIELD-ONE
LOC-ONE 03/05/13 157052
LOCATION RUN DATE FIELD-ONE
LOC-TWO 03/05/13 157052
LOCATION RUN DATE FIELD-ONE
LOC-THRE 03/05/13 157052
LOCATION RUN DATE FIELD-TWO
LOC-ONE 03/06/13 35868
LOCATION RUN DATE FIELD-THREE
LOC-FOUR 07/15/13 0
LOCATION RUN DATE FIELD-FOUR
LOC-FIVE 07/15/13 6385

Data is from three logs same sourcetype. The third header is variable. The doc for the FIELDS statement implies I can't use RegEx to capture the field name (“\w+”). That would make a nice feature, eh? (8->)

Suggestions?

0 Karma

Path Finder