Archive

How to Extract "String" as value using "+Extract New Fields" feature

Path Finder

Hi,

I have some snort logs with prior 0,1,2,3. I used the extract new fields feature to extract the priority value as a priority field and did a pie chart by searching snort | top priority but my chart will end up show just values 0,1,2 or 3.

I noticed that if I used the default fields that were non values like ip addresses, the chart actually could display by field names. Then I tried to extract another new field but selecting the string "Priority : 3" as newPriority but the field summary only shows newPriority cound as 1 x "Priority 3".

How do I extract a field like the IP field where it treat 192.168.1.1 and 192.168.1.2 as 2 different value in IP field?

Tags (1)
0 Karma

Path Finder

Hi,

I think I need to extract multiple values as field "Priority" but I am encountering the error below. Not sure what to do next..
alt text

0 Karma

Path Finder

Hi,

I mean I wanted my field to be in Fields » Field extractions so that when I search sourcetype, I can see it as a field and straight away know how many priority 1,2,3,4 as a quick preview. Not by SPL.

0 Karma

New Member

Here are the most important rules for searching in Splunk:

Search terms are case insensitive.
You can combine multiple search terms in a single search.
To search for a phrase, use quotation marks. For example, to search for an exact phrase of failed login, you would enter “failed login” in the search bar.

Boolean logic is supported. You don’t have to write the AND keyword between search terms; it is implied. To specify that either one or two or more arguments should be true, use the OR keyword. To filter out events containing a specific word, use the NOT keyword.

Splunk’s search language is known as the Search Processing Language (SPL). This language contains hundreds of search commands and their functions, arguments, and clauses. For example, to sort results in either ascending or descending order, you would use the SPL command sort. To format results into a tabular output, you can use the table command. Learn More Here...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!