Archive
Highlighted

why fields should be extracted from raw data in splunk?

New Member

why we need to extract fields from machine data?

Tags (1)
0 Karma
Highlighted

Re: why fields should be extracted from raw data in splunk?

SplunkTrust
SplunkTrust

Fields are the building blocks of searches, reports, and data models in Splunk Enterprise. When you run a search on your event data, Splunk Enterprise looks for fields in that data.

Splunk automatically extracts fields - at least the default fields which are host,source,sourcetype. If the auto extracted fields are not enough for you to perform a search effectevely, you have to extract fields manually either at index time or at search time ( Field Extraction )

To use the power of Splunk Enterprise search, create additional field extractions. Custom field extractions allow you to capture and track information that is important to your needs, but which is not automatically discovered and extracted by Splunk Enterprise. Any field extraction configuration you provide must include a regular expression that tells Splunk Enterprise how to find the field that you want to extract.

All field extractions, including custom field extractions, are tied to a specific source, sourcetype, or host value. For example, if you create an ip field extraction, you might tie the extraction configuration for ip to sourcetype=access_combined.

Custom field extractions should take place at search time, but in certain rare circumstances you can arrange for some custom field extractions to take place at index time

Refer :
http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchTutorial/Usefieldstosearch
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Aboutfields

Highlighted

Re: why fields should be extracted from raw data in splunk?

Esteemed Legend

How else are you going to launch all ZIGs?

0 Karma
Highlighted

Re: why fields should be extracted from raw data in splunk?

Esteemed Legend

You only need fields if you need to access specific data inside of your events. If you only need raw volume counts, then you don't need fields. You need fields if you need fields.

0 Karma