topic Re: permanently extracting a field in Splunk Search

permanently extracting a field

moe44688 — Thu, 31 Dec 2015 02:36:29 GMT

Hi, I am using regex to extract a field. However, I need to make it permanent so that I don't have use regex in future searches. The regex is:

 rex field=message "(?<Codes>(\w{5,3}\s+)+"

I would really appreciate any help! I hope I've provided sufficient information.

Re: permanently extracting a field

sundareshr — Thu, 31 Dec 2015 03:15:59 GMT

This should help you with permanent extractions

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX

Re: permanently extracting a field

jkat54 — Thu, 31 Dec 2015 09:21:43 GMT

You can do a search time field extraction by editing the props.conf in the splunk app you're searching within.

[sourcetypeName]
...
extract-codes = (?<Codes>(\w{5,3}\s+)+) in message

if that doesnt work, remove "in message".

In effect, this is what the field extractor sundareshr has mentioned does. Just keep in mind the search time extractions are specific to the splunk app you are in when you run your search/alert/report.