Splunk® Enterprise

Getting Data In

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Configure indexed field extraction

There are three types of fields that Splunk can extract at index time:

  • Default fields
  • Custom fields
  • File header fields

Splunk always extracts a set of default fields for each event. You can configure it to also extract custom and, for some data, file header fields.

For more information on indexed field extraction, see the chapter "Configure indexed field extraction" in this manual.

Retrieved from "https://docs.splunk.com/index.php?title=Documentation:Splunk:Data:Overviewofdefaultfieldextraction:4.2beta&oldid=626198"
PREVIOUS
Configure event timestamps 		  NEXT
Anonymize data

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters