topic Re: How to use the query that Field extractor generate to use in your search in Splunk Search

How to use the query that Field extractor generate to use in your search

phamxuantung — Wed, 17 Mar 2021 05:49:54 GMT

Hi, so I try to use Field Extractor (in Extract new fields) to extract some fields from raw logs to make a table. I have successfully show it on my end but other can't. So I want to apply the query that it auto generate in my own search. The query is:

^[^>\n]*>\s+\w+<(?P<Portname>[^>]+)[^:\n]*:\s+(?P<Status>\w+) at <(?P<IP>[^:]+):(?P<Port>[^>]+)

How do I apply it to Splunk search?

Re: How to use the query that Field extractor generate to use in your search

Vardhan — Wed, 17 Mar 2021 06:05:10 GMT

Hi @phamxuantung ,

If the fields are only visible to you but other can't .It means the extractions which you have created are in private.Make it global then others can make use of it.

If you want to put it in search then use the

Rex command

|rex "^[^>\n]*>\s+\w+<(?P<Portname>[^>]+)[^:\n]*:\s+(?P<Status>\w+) at <(?P<IP>[^:]+):(?P<Port>[^>]+)"

If this answer helps you then upvote it.