https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312880#M93654 <P>The simple answer is extract the data into a field.</P> <P>The documentation goes into this in great depth and length, about using the field extractor and many other options: <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Aboutfields">http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Aboutfields</A></P> <P>With a quick one-off though you may consider using the <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex">rex</A> command to quickly extract the numeric portion and then use it like so: </P> <PRE><CODE>&lt;base search&gt; | rex "duration (?&lt;duration_ms&gt;\d+)ms" | timechart count min(duration_ms) max(duration_ms) avg(duration_ms) p95(duration_ms) </CODE></PRE> <P><EM>I should note, I only had your one partial sample to work with, therefore milage may vary</EM> but that's the general idea... Build a regular expression to extract the data you want from your events, with appropriate anchoring. If you need help developing regular expressions, I recommend playing with regex101.com or any number of other interactive regex testers.</P> <P>If you are taking formal courses from Splunk it looks like this is started to be covered in <A href="https://www.splunk.com/view/SP-CAAAPYB">Splunk Fundamentals 2</A> and later on with <A href="https://www.splunk.com/view/SP-CAAAPSE">Splunk Data Administration</A>.</P> Sun, 21 Jan 2018 20:29:06 GMT acharlieh 2018-01-21T20:29:06Z https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312879#M93653 <P>This might be a really simple question, but I haven't been able to find an answer as of yet. I have some raw data from some events that is for example "(duration 5555ms)" and I want to put that in a "| timechart span=1m count by duration" to create a chart that shows when these events took place and their total duration. There is currently no field set up for duration, it is just raw data. How would I get those numbers into my time chart?</P> Sun, 21 Jan 2018 00:40:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312879#M93653 cdhippen 2018-01-21T00:40:46Z https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312880#M93654 <P>The simple answer is extract the data into a field.</P> <P>The documentation goes into this in great depth and length, about using the field extractor and many other options: <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Aboutfields">http://docs.splunk.com/Documentation/Splunk/7.0.1/Knowledge/Aboutfields</A></P> <P>With a quick one-off though you may consider using the <A href="http://docs.splunk.com/Documentation/Splunk/7.0.1/SearchReference/rex">rex</A> command to quickly extract the numeric portion and then use it like so: </P> <PRE><CODE>&lt;base search&gt; | rex "duration (?&lt;duration_ms&gt;\d+)ms" | timechart count min(duration_ms) max(duration_ms) avg(duration_ms) p95(duration_ms) </CODE></PRE> <P><EM>I should note, I only had your one partial sample to work with, therefore milage may vary</EM> but that's the general idea... Build a regular expression to extract the data you want from your events, with appropriate anchoring. If you need help developing regular expressions, I recommend playing with regex101.com or any number of other interactive regex testers.</P> <P>If you are taking formal courses from Splunk it looks like this is started to be covered in <A href="https://www.splunk.com/view/SP-CAAAPYB">Splunk Fundamentals 2</A> and later on with <A href="https://www.splunk.com/view/SP-CAAAPSE">Splunk Data Administration</A>.</P> Sun, 21 Jan 2018 20:29:06 GMT https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312880#M93654 acharlieh 2018-01-21T20:29:06Z https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312881#M93655 <P>This is great! I took Splunk fundamentals but they didn't go over rex, so while I've seen it before I didn't exactly know how to use it. Also I tried field extraction but got lost. I'll definitely dive into this documentation, much appreciated!</P> Sun, 21 Jan 2018 21:51:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312881#M93655 cdhippen 2018-01-21T21:51:02Z https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312882#M93656 <P>The free <A href="https://www.splunk.com/view/SP-CAAAPX9">Splunk Fundamentals 1</A> course doesn't get into field extraction... but rather assumes fields are already extracted for you. Fundamentals 2 (which is paid training) picks up where Fundamentals 1 leaves off and gets into the basics of field extractions among other topics.</P> <P>I have to admit I took the older courses and not the Fundmentals series (I don't remember if this was a normal Searching and Reporting class topic, or an Advanced S&amp;R topic, or if rex landed squarely in the Admin course... but different aspects were covered in different parts of my Splunk class journey). </P> Sun, 21 Jan 2018 21:56:24 GMT https://community.splunk.com/t5/Splunk-Search/How-to-move-raw-data-with-no-field-assigned-to-a-table/m-p/312882#M93656 acharlieh 2018-01-21T21:56:24Z