Re: configuring field extraction

Tridi123 · ‎09-28-2012

Hi,
I want to enable automatic field extraction from header. My file looks like this format

emp|age|place

12345|28|india

how can i configure my prop.conf amd transform.conf file for this.I studied getting data manual but seems not woking for me. Can u assit me by giving me the code detail.As i am doing poc on it.

yannK · ‎09-30-2012

For a search time manual field extraction with a regex.



mysearch | rex "(?[^|])\|(?[^|])\|(?[^|]*)" | table emp age place

For an automatic field extraction,

see http://docs.splunk.com/Documentation/Splunk/4.3.4/Data/Extractfieldsfromfileheadersatindextime
on the search-head or indexer, define a search time field extraction for your sourcetype.
in props.conf



[mysourcetype]

TRANSFORMS-mysourcetypefields = mysourcetypefieldsextraction

in transforms.conf



[mysourcetypefieldsextraction]

FIELDS="emp", "age", "place"

DELIMS="|"

Simon · ‎09-28-2012

Did you try KV_MODE = multi in props.conf (http://docs.splunk.com/Documentation/Splunk/4.3.4/admin/Propsconf) ?

Tridi123 · ‎09-29-2012

To turn on automatic header-based field extraction for a source or source type, add CHECK_FOR_HEADER=TRUE then [deatils]--------------sourcetype CHECK_FOR_HEADER=TRUE
then should i give KV_MODE = multi

Tridi123 · ‎09-29-2012

link is not opening

configuring field extraction

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk