Configure custom fields at search time
Use configuration files to configure custom fields at search time, to enrich your events with fields that are not discovered by available Splunk Web extraction methods. You can use .conf files such as transforms.conf
and props.conf
to add, maintain, and review libraries of custom field additions.
You can set up and manage search-time field extractions via Splunk Web. You cannot configure automatic key-value field extractions through Splunk Web. For more information on setting up field extractions through Splunk Web, see manage search-time field extractions.
You can locate props.conf
and transforms.conf
in $SPLUNK_HOME/etc/system/local/
, or your own custom app directory in $SPLUNK_HOME/etc/apps/
.
In general, you should try to extract your fields at search time rather than at index-time. There are relatively few cases where index-time extractions are better, and they can cause an increase in index size making your searches slower. See Configuring index-time field extractions.
Field extraction configurations must include a regular expression that specifies how to find the field that you want to extract.
See About fields.
Types of field extraction
There are three field extraction types: inline, transform, and automatic key-value.
Field extraction type | Configuration location | See |
---|---|---|
Inline extractions | Inline extractions have EXTRACT-<class> configurations in props.conf stanzas.
|
Configure inline extractions |
Transform extractions | Transform extractions have REPORT-<class> name configurations that are defined in props.conf stanzas. Their props.conf configurations must reference field transform stanzas in transforms.conf .
|
Configure advanced extractions with field transforms |
Automatic key-value extractions | Automatic key-value extractions are configured in props.conf stanzas where KV_MODE is set to a valid value other than none .
|
Configure automatic key-value field extraction |
When to use inline or transform extractions
Field extraction type | Situation | See |
---|---|---|
Inline extractions |
|
Configure inline extractions with props.conf |
Transform extractions |
|
Configure advanced extractions with field transforms |
Both of these configurations can be set up in the regular expression as well.
Use the Field transformations page | Configure inline extractions |
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2203, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release), 9.3.2408
Feedback submitted, thanks!