can any one know how to do it?
http://docs.splunk.com/Documentation/Splunk/latest/Data/Extractfieldsfromfileheadersatindextime
See here: http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Extractfieldsfromfileheadersatindextime#Enabl...
http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Extractfieldsfromfileheadersatindextime#Enabl...
And for a different way see : http://splunk-base.splunk.com/answers/60316/how-to-enable-automatic-header-based-field-extraction
http://splunk-base.splunk.com/answers/60316/how-to-enable-automatic-header-based-field-extraction
If this has answered your question, please accept it. Thanks!