topic Re: How do I turn search terms into an extracted field? in Splunk Search

How do I turn search terms into an extracted field?

saqibhome — Thu, 30 Aug 2018 20:46:20 GMT

I would like to turn the seach terms into a extract field at the time of search. For e.g.

"search term 1" OR "search term 2" OR "search term 3"

Should become one extracted field. Is that possible in Splunk?

Re: How do I turn search terms into an extracted field?

horsefez — Thu, 30 Aug 2018 21:01:57 GMT

What?

You need to give us more information about what you are trying to do. It's not very clear, sorry.

Do you have some sample events on your hands?
Maybe describe what your expected Output should look like.

Re: How do I turn search terms into an extracted field?

mstjohn_splunk — Thu, 30 Aug 2018 21:42:53 GMT

@saqibhome , thanks for posting on Splunk Answers.

But @pyrowood is right. if you want get this answered, you need to add more context to your question. Our community won't be able to help you if they don't have enough information to understand your problem.

Please see our Answers manual to see how to appropriately ask a question on the site.

Re: How do I turn search terms into an extracted field?

adonio — Thu, 30 Aug 2018 22:00:31 GMT

i think what you are looking for is calls macros
read here:

https://docs.splunk.com/Splexicon:Searchmacro
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Searchmacroexamples

but maybe you mean eventtype.
read here:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Abouteventtypes

hope it helps

Re: How do I turn search terms into an extracted field?

saqibhome — Fri, 31 Aug 2018 17:48:15 GMT

Figured it out. I am using the eval along with case to create the extracted field from the search terms. e.g.

"search term 1" OR "search term 2" OR "search term 3" | eval search_term=case(like(_raw, "%search term 1%"), "search term 1", like(_raw, "%search term 2%"), "search term 2",  like(_raw, "%search term 3%"), "search term 3")

search_term becomes the extracted field