Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Configure custom fields at search time

Use configuration files to configure custom fields at search time, to enrich your events with fields that are not discovered by available Splunk Web extraction methods. You can use .conf files such as transforms.conf and props.conf to add, maintain, and review libraries of custom field additions.

You can set up and manage search-time field extractions via Splunk Web. You cannot configure automatic key-value field extractions through Splunk Web. For more information on setting up field extractions through Splunk Web, see manage search-time field extractions.

You can locate props.conf and transforms.conf in $SPLUNK_HOME/etc/system/local/, or your own custom app directory in $SPLUNK_HOME/etc/apps/.

In general, you should try to extract your fields at search time rather than at index-time. There are relatively few cases where index-time extractions are better, and they can cause an increase in index size making your searches slower. See Configuring index-time field extractions.

Field extraction configurations must include a regular expression that specifies how to find the field that you want to extract.

See About fields.

Types of field extraction

There are three field extraction types: inline, transform, and automatic key-value.

Field extraction type Configuration location See
Inline extractions Inline extractions have EXTRACT-<class> configurations in props.conf stanzas. Configure inline extractions
Transform extractions Transform extractions have REPORT-<class> name configurations that are defined in props.conf stanzas. Their props.conf configurations must reference field transform stanzas in transforms.conf. Configure advanced extractions with field transforms
Automatic key-value extractions Automatic key-value extractions are configured in props.conf stanzas where KV_MODE is set to a valid value other than none. Configure automatic key-value field extraction

When to use inline or transform extractions

Field extraction type Situation See
Inline extractions
  • You have one regular expression per field extraction configuration.
  • You have a simple setup with one regular expression, and you want to extract multiple fields.
  • You want to create a new field by configuring an extraction.
Configure inline extractions with props.conf
Transform extractions
  • To reuse the same field-extracting regular expression across multiple sources, source types, or hosts.
  • To apply more than one field-extracting regular expression to the same source, source type, or host.
  • To set up delimiter-based field extractions.
  • To configure extractions for multivalue fields.
  • To extract fields with names that begin with numbers or underscores.
  • To manage the formatting of extracted fields, in cases where you are extracting multiple fields or are extracting both the field name and field value.
Configure advanced extractions with field transforms

Both of these configurations can be set up in the regular expression as well.

Last modified on 30 September, 2019
Use the Field transformations page   Configure inline extractions

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters