How to extract particular field at index time and search time or looking for how to do field extraction in splunk ?

Index Time Field Extraction :
Before index the data, we have to change the following files.
(C:Program FilesSplunketcsystemlocal)
1. transforms.conf
          [< unique_transform_stanza_name >]
          REGEX = < regular_expression >
          FORMAT = < your_custom_field_name >::$1
          WRITE_META = [true|false]
          DEST_KEY = < KEY >
          DEFAULT_VALUE = < string >
          SOURCE_KEY = < KEY >
          REPEAT_MATCH = [true|false]
          LOOKAHEAD = < integer >

  • The < unique_stanza_name > is required for all transforms, as is the REGEX.
  • REGEX is a regular expression that operates on your data to extract fields.
  • FORMAT is optional. Use it to specify the format of the field-value pair(s) that you are extracting, including any field names or values that you want to add. You don’t need to specify the FORMAT if you have a simple REGEX with name-capturing groups.
  • WRITE_META = true  writes the extracted field name and value to _meta, which is where Splunk stores indexed fields.
  • DEST_KEY is required for index-time field extractions where WRITE_META = false or is not set. It specifies where Splunk sends the results of the REGEX.
  • DEFAULT_VALUE is optional. The value for this attribute is written to DEST_KEY if the REGEX fails.
  • SOURCE_KEY is optional. You use it to identify a KEY whose values the REGEX should be applied to.
  • REPEAT_MATCH is optional. Set it to true to run the REGEX multiple times on the SOURCE_KEY.
  • LOOKAHEAD is optional. Use it to specify how many characters to search into an event.

        2. props.conf
            [< spec >]
            TRANSFORMS-< class > = < unique_stanza_name >

            < spec > can be :
            < sourcetype >, the sourcetype of an event.
            host::< host >, where < host > is the host for an event.
            source ::< source >, where < source > is the source for an event.

        3. fields.conf
            [< your_custom_field_name >]
            INDEXED=true

            < your_custom_field_name > is the name of the custom field you set in the unique
            stanza that you added to transforms.conf.
            Set INDEXED=true to indicate that the field is indexed.

  • Index-time field extraction examples.

This basic example creates an indexed field called device_id_new.
1. In transforms.conf add :

2. Add the following lines to props.conf:

3. Add the following lines to fields.conf :

4. Restart Splunk for your configuration file changes to take effect.

5. After indexing the data

  • Search time field extraction :

          Use configuration files to configure custom fields at search time, to enrich your events with
          fields that are not discovered by available Splunk Web extraction methods.

          You can set up and manage search-time field extractions via Splunk Web.

          EXTRACT field extraction configuration syntax:

  • < spec >options

          [< spec >]
          EXTRACT-< class > = [< regular_expression >|< regular_expression > in < string >]

  • Example inline field extraction configurations

          Create an device_name _new field by configuring a field extraction in props.conf

          1. In props.conf, add the following line:

          2. Get the particular extracted field

If you are still facing issue regarding field extraction in splunk Feel free to Ask Doubts in the Comment Box Below and Don’t Forget to Follow us on 👍 Social Networks, happy Splunking >😉