Hi,
I need to extract a few fields from the 'source' field.
I do not have access to props.conf.
Is there anyway of doing this extraction from the Splunk Search Head UI? (as I do not have access to change props.conf)
Thanks,
Namritha
Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source
Fields » Field extractions » Add new
Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above
I hope this helps
If you go to Settings --> Fields --> Field Transformations, you can create a field transform (a field extracting regular expression) that uses the "source" field as the source-key.
Next go to Settings --> Fields --> Field Extractions and create a new extraction, being sure to set the "Type" to Transform and using the Transform you created above.
Be sure to put both of these in the correct app.
@sbbadri beat me to it 🙂
Thankyou very much
Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source
Fields » Field extractions » Add new
Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above
I hope this helps
Badri nailed it. Here are the docs that walk you through it. This will be the same thing as configuring directly via the conf files.
Also remember that you don't need the field names in the capture groups if you use the transforms method.
Some real good reading here too:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#GLOBAL_SETTINGS
Thankyou 🙂
Worked beautifully.
You can use rex
but it will only apply at search time
Example:
... | rex field=source <REGEX>
I want to define it as an extracted field.
I am going to using field1 and field2 in summary indexes, and I do not want to include regex in summary index.