Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search
Splunk Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Search
Search the Community
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
4,000 results
Sorted by:
11-07-2012
03:37 PM
1 Karma
...onfiguration syntax to set up fields.conf with the same regex and number of fields.
^(? [^ ]+)\s[^ ]+\,[0-9]+ \[(? [^ ]+)\] New documents[ ]+: (? [^a-zA-Z._]*) \<[0-9 ]+ \((? [^ ]+)\)\> *DATASOURCE.(? ....
- Tags:
- field-extraction
08-01-2010
07:47 PM
2 Karma
...ac_addr
Setting fields.conf as follows:
[mac_addr]
INDEXED = false
INDEXED_VALUE = false
While using a TOKENIZER of ([^,]\*) doesn't change the behavior of a basic search, like "*" ....
02-28-2018
02:11 AM
...riting it inline none of it is working. Used fields.conf:
[allowed_ip]
TOKENIZER=([^\,]+)
Also tried to implement it in props.conf and transforms.conf:
props.conf
[abc:pce:metadata]
E...
01-12-2022
09:33 AM
I'm trying to get a new sourcetype (NetApp user-level audit logs, exported as XML) to work, and I think my fields.conf tokenizer is breaking things. But I'm not really sure how, or why, or what to d...
- Tags:
- fields.conf
- tokenizer
Labels
- Labels:
-
field extraction
Show results in replies (5)
-
What benefits would there be to a transforms.conf approach over fields.conf? I'm still fairly new t...
-
...hose fields, the field extraction works. But when I add fields.conf the fields named therein aren't e...
-
Well, at least that updated tokenizer breaks things in a different way... I edited the fields...
-
...ime prowess is Splunk's very strength. Why not use it? Meantime, the error in fields.conf is t...
-
...ren't parsed properly either. 🙂 I'm primarily interested in understanding why my fields.conf t...
04-20-2010
12:49 PM
3 Karma
I'm running a search based on a field extracted at search time using props.conf.
I've noticed that if I don't have a fields.conf, my search works fine. Instead if I create a fields.conf and I s...
Show results in replies (3)
-
You should not be setting anything in fields.conf for search-time extracted fields. Setting I...
-
...nstance::pango is indexed.) Since your fields are created via search-time extractions, this setting i...
-
This is technically more of a comment than an answer (both jrodman and gkanapathy covered the topic...
06-08-2016
02:21 PM
I was wondering if it's possible to extract an mv field, from an already extracted field, using fields.conf?
For example:
I have a series of data
ANSWER SECTION:
Offset = 0x0016, RR c...
03-10-2021
11:04 PM
Hi, There is the description for INDEXED_VALUE in fields.conf INDEXED_VALUE = [true|false|<sed-cmd>|<simple-substitution-string>]
* Set this to true if the value is in the raw t...
Labels
- Labels:
-
administration
-
configuration
04-30-2015
07:00 AM
...o ./etc/system/local/fields.conf :
[field_a]
TOKENIZER = ([^\|]+)
[field_b]
TOKENIZER = ([^\|]+)
The only problem is that above approach seems to have global effect across all indexes and a...
11-01-2017
03:23 PM
1 Karma
I'm adding fields in my json format data like, below. The issue is, the search "index=myHEC *" returns data but "index=myHEC myType=Find_me " is not working.
{
"time": 1507522387,
"host": "m...
10-17-2017
02:57 AM
...vents, but its not parsing the field that I wanted,
so I used rex to get the field parsed and this worked, bu then I couldn't do any searches on the field, because I need to adjust fields.conf or s...
