We use a custom format for our Apache access logs. Long ago, I put together a regex to extract the fields from the custom format. At that time, I set it up as a field extraction on the indexer....
Hi,
I've recently noticed the recommendations the move to search-time versus index-timefield extractions. I'm trying to get an idea of exactly how much of the configuration that we've got in p...
I have a custom log format that is Apache's access_combined format with a customfield representing an app's version number at the end. The fields are space separated. How can I configure Splunk t...
...ust search for "app=myapp env=test"
Since the fields are always there and should be a part of most queries, it seems like a good idea to add them at index time(?)
In etc/system/local I have a...
...articular element in their config files.
For log files in XML (as described in this question) you can define event boundaries and extract fields based on sub-elements or attributes. But XML configur...
...e at index-time or search-time. What is important to me is that I would be able to see the fields when I search the events. I have been searching for 2 days now and tried different answers I came a...
...ata and the .tsidx files is made. How are the .tsidx files formed from the event data? When I look at the data models object hierarchy in settings I see the fields that it e...
Hello,
I had created some customfields in my original Splunk Install, then I installed on a new server. I'm trying to migrate the customfields I created. To try to save some time, I copied t...
Hello,
i want to extract a field on index-time extraction on search head (i know it's not the best idea), but I'm have some strange issues with it.
A new field should be indexed through c...
Hi all,
I am fairly new to Splunk and have been working on the following searchtimefield extraction to grab windows formatted filenames from various different custom logs and was wondering if a...