Splunk Search

manual field extraction from header

giovere
Path Finder

I'm having log file which looks like this:

name___________;ip_____________;soemeid_
Bob            ;127.0.0.1        ;6
Alice          ;127.0.0.2         ;3
Bill          ;127.0.0.3        ;4

Fields can be extracted from the header, but when I'm adding CHECK_FOR_HEADER = TRUE in the props.conf all I get for field/value is: name________/name________ the same for all fields. Obviously I'm missing something here, but after digging into the documentation for several hours could not find right text, maybe you can point out what I'm looking for in the Splunk terms? Also aliasing fields would be nice to have like field "name__________" to be referenced from the search app as "name". Thanks in advance ...

Tags (1)
0 Karma
1 Solution

_d_
Splunk Employee
Splunk Employee

When you set CHECK_FOR_HEADER=true Splunk will end up renaming your sourcetype/s as a result of the automatic header-based field extraction process. I would suggest using CHECK_FOR_HEADER=false and then use FIELDS and DELIMS in props.conf and transforms.conf for all field extractions configurations. This way you also don't have to do any field aliasing. This blog post may also provide some help:
http://blogs.splunk.com/2008/02/22/delimiter-base-kv-extraction-advanced/

- please upvote if you find this answer useful

View solution in original post

_d_
Splunk Employee
Splunk Employee

When you set CHECK_FOR_HEADER=true Splunk will end up renaming your sourcetype/s as a result of the automatic header-based field extraction process. I would suggest using CHECK_FOR_HEADER=false and then use FIELDS and DELIMS in props.conf and transforms.conf for all field extractions configurations. This way you also don't have to do any field aliasing. This blog post may also provide some help:
http://blogs.splunk.com/2008/02/22/delimiter-base-kv-extraction-advanced/

- please upvote if you find this answer useful

rgcurry
Contributor

My data is formatted differently, like this:

LOCATION RUN DATE FIELD-ONE
LOC-ONE 03/05/13 157052
LOCATION RUN DATE FIELD-ONE
LOC-TWO 03/05/13 157052
LOCATION RUN DATE FIELD-ONE
LOC-THRE 03/05/13 157052
LOCATION RUN DATE FIELD-TWO
LOC-ONE 03/06/13 35868
LOCATION RUN DATE FIELD-THREE
LOC-FOUR 07/15/13 0
LOCATION RUN DATE FIELD-FOUR
LOC-FIVE 07/15/13 6385

Data is from three logs same sourcetype. The third header is variable. The doc for the FIELDS statement implies I can't use RegEx to capture the field name (“\w+”). That would make a nice feature, eh? (8->)

Suggestions?

0 Karma

giovere
Path Finder
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...