https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308820#M92767 <P>You can use <CODE>rex</CODE> but it will only apply at search time</P> <P>Example:</P> <P><CODE>... | rex field=source &lt;REGEX&gt;</CODE></P> Mon, 17 Jul 2017 15:24:27 GMT skoelpin 2017-07-17T15:24:27Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308819#M92766 <P>Hi,</P> <P>I need to extract a few fields from the 'source' field.</P> <P>I do not have access to props.conf.</P> <P>Is there anyway of doing this extraction from the Splunk Search Head UI? (as I do not have access to change props.conf)</P> <P>Thanks,<BR /> Namritha</P> Mon, 17 Jul 2017 15:22:32 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308819#M92766 namrithadeepak 2017-07-17T15:22:32Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308820#M92767 <P>You can use <CODE>rex</CODE> but it will only apply at search time</P> <P>Example:</P> <P><CODE>... | rex field=source &lt;REGEX&gt;</CODE></P> Mon, 17 Jul 2017 15:24:27 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308820#M92767 skoelpin 2017-07-17T15:24:27Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308821#M92768 <P>I want to define it as an extracted field.</P> <P>I am going to using field1 and field2 in summary indexes, and I do not want to include regex in summary index.</P> Mon, 17 Jul 2017 15:32:11 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308821#M92768 namrithadeepak 2017-07-17T15:32:11Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308822#M92769 <P>Fields » Field transformations » Add new <BR /> Name : tranfroms name<BR /> Type: regex-based<BR /> Regular expression: your regular <BR /> Format: your field name::$1<BR /> Source key: source</P> <P>Fields » Field extractions » Add new </P> <P>Name : extraction name<BR /> sourcetype : give your sourcetyp<BR /> Type: Use transform<BR /> Extraction/Transform: transform name mentioned above</P> <P>I hope this helps</P> Mon, 17 Jul 2017 15:46:18 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308822#M92769 sbbadri 2017-07-17T15:46:18Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308823#M92770 <P><A href="http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions#Add_new_field_extractions_in_Splunk_Web">http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions#Add_new_field_extractions_in_Splunk_Web</A></P> <P>Badri nailed it. Here are the docs that walk you through it. This will be the same thing as configuring directly via the conf files. </P> <P>Also remember that you don't need the field names in the capture groups if you use the transforms method. </P> <P>Some real good reading here too:</P> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration</A><BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#GLOBAL_SETTINGS">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#GLOBAL_SETTINGS</A></P> Mon, 17 Jul 2017 15:49:55 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308823#M92770 mattymo 2017-07-17T15:49:55Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308824#M92771 <P>If you go to Settings --&gt; Fields --&gt; Field Transformations, you can create a field transform (a field extracting regular expression) that uses the "source" field as the source-key. </P> <P>Next go to Settings --&gt; Fields --&gt; Field Extractions and create a new extraction, being sure to set the "Type" to Transform and using the Transform you created above. </P> <P>Be sure to put both of these in the correct app.</P> Mon, 17 Jul 2017 15:58:03 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308824#M92771 wpreston 2017-07-17T15:58:03Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308825#M92772 <P>@sbbadri beat me to it <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P> Mon, 17 Jul 2017 15:59:21 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308825#M92772 wpreston 2017-07-17T15:59:21Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308826#M92773 <P>Thankyou <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> Worked beautifully.</P> Tue, 18 Jul 2017 21:10:14 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308826#M92773 namrithadeepak 2017-07-18T21:10:14Z https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308827#M92774 <P>Thankyou very much</P> Tue, 18 Jul 2017 21:10:29 GMT https://community.splunk.com/t5/Getting-Data-In/Apply-field-extraction-to-source-field/m-p/308827#M92774 namrithadeepak 2017-07-18T21:10:29Z