https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84753#M4578 <P>martin,<BR /> thanks for your reply. I'm worried about how to use the extracted data in the successive commands</P> <P>for example<BR /> if i use a rex, i'll use a FIELDVALUE variable which'll be used in the successive command</P> <P>so now, the events look like this<BR /> event 1: a10=200,a11=210,a12=220<BR /> ...</P> <P>again, my search commands looks like this<BR /> source "somesource" | extract kvdelim="=" pairdelim="," auto=f</P> <P>do i have to use a rex eventhough i use a extract command? how will i refer the extracted fields in the succesive commands. sorry for my ignorance. </P> <P>please guide me.</P> <P>regards,<BR /> murali v</P> Fri, 05 Apr 2013 05:55:39 GMT muraliv 2013-04-05T05:55:39Z https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84751#M4576 <P>Hi,</P> <P>I understand what extract or kv command does. but what i don't understand is how the extracted values should be used in a timechart command.</P> <P>for example.</P> <P>event 1: 10=200,11=210,12=220</P> <P>event 2: 10=300,11=310,12=320</P> <P>event 3: 10=400,11=410,12=420</P> <P>if i want to plot a line graph, which will plot all the values of 10,11 and 12 i'll use as following</P> <P>source "someosource" | extract kvdelim="=" pairdelim="," auto=f</P> <P>how should i use the subsequent timechart command. how will i refer the fields 10,11 and 12 in the timecharts.<BR /> please guide me since i can't find a complete one to one tutorial with samples for extract command.</P> <P>thanks in advance.</P> Thu, 04 Apr 2013 13:13:25 GMT https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84751#M4576 muraliv 2013-04-04T13:13:25Z https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84752#M4577 <P>If I modify your data like this:</P> <PRE><CODE>event 1: a10=200,a11=210,a12=220 event 2: a10=300,a11=310,a12=320 event 3: a10=400,a11=410,a12=420 </CODE></PRE> <P>Then extract will pull out all the fields without any parameters given. I assume extract refuses to extract numbers as field names. You can still write a rex for that like this:</P> <PRE><CODE>... | rex "10=(?&lt;10&gt;\d+)" </CODE></PRE> Thu, 04 Apr 2013 13:47:41 GMT https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84752#M4577 martin_mueller 2013-04-04T13:47:41Z https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84753#M4578 <P>martin,<BR /> thanks for your reply. I'm worried about how to use the extracted data in the successive commands</P> <P>for example<BR /> if i use a rex, i'll use a FIELDVALUE variable which'll be used in the successive command</P> <P>so now, the events look like this<BR /> event 1: a10=200,a11=210,a12=220<BR /> ...</P> <P>again, my search commands looks like this<BR /> source "somesource" | extract kvdelim="=" pairdelim="," auto=f</P> <P>do i have to use a rex eventhough i use a extract command? how will i refer the extracted fields in the succesive commands. sorry for my ignorance. </P> <P>please guide me.</P> <P>regards,<BR /> murali v</P> Fri, 05 Apr 2013 05:55:39 GMT https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84753#M4578 muraliv 2013-04-05T05:55:39Z https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84754#M4579 <P>With those events <CODE>extract</CODE> without any parameters will extract fields called a10, a11, and a12. You can then refer to those field names in successive commands.</P> <P>For a simple confirmation, append a <CODE>| table a10 a11 a12</CODE> to your <CODE>extract</CODE>.</P> Fri, 05 Apr 2013 07:07:32 GMT https://community.splunk.com/t5/Dashboards-Visualizations/extract-usage-basics/m-p/84754#M4579 martin_mueller 2013-04-05T07:07:32Z