How to extract fields from a specific field instead of raw data using the conf files? Can it be done with EXTRACT-<class> = [<regex>|<regex> in <src_field>] in props.conf?
Hi rsimmons,
Looks like this has already been answered here: https://answers.splunk.com/answers/47982/extracting-field-from-a-field-other-than-raw-in-props-conf....
You need to use transforms configuration instead.
Hope this helps.
The extract fields command only works on raw data with transforms.conf however not with index data. The extractions is done via kv_mode=auto for the fields.