Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Apply field extraction to source field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I need to extract a few fields from the 'source' field.
I do not have access to props.conf.
Is there anyway of doing this extraction from the Splunk Search Head UI? (as I do not have access to change props.conf)
Thanks,
Namritha
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source
Fields » Field extractions » Add new
Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above
I hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you go to Settings --> Fields --> Field Transformations, you can create a field transform (a field extracting regular expression) that uses the "source" field as the source-key.
Next go to Settings --> Fields --> Field Extractions and create a new extraction, being sure to set the "Type" to Transform and using the Transform you created above.
Be sure to put both of these in the correct app.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sbbadri beat me to it 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou very much
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source
Fields » Field extractions » Add new
Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above
I hope this helps
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Badri nailed it. Here are the docs that walk you through it. This will be the same thing as configuring directly via the conf files.
Also remember that you don't need the field names in the capture groups if you use the transforms method.
Some real good reading here too:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#GLOBAL_SETTINGS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thankyou 🙂
Worked beautifully.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use rex but it will only apply at search time
Example:
... | rex field=source <REGEX>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to define it as an extracted field.
I am going to using field1 and field2 in summary indexes, and I do not want to include regex in summary index.
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
