Getting Data In

Apply field extraction to source field

namrithadeepak
Path Finder

Hi,

I need to extract a few fields from the 'source' field.

I do not have access to props.conf.

Is there anyway of doing this extraction from the Splunk Search Head UI? (as I do not have access to change props.conf)

Thanks,
Namritha

Tags (1)
0 Karma
1 Solution

sbbadri
Motivator

Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source

Fields » Field extractions » Add new

Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above

I hope this helps

View solution in original post

wpreston
Motivator

If you go to Settings --> Fields --> Field Transformations, you can create a field transform (a field extracting regular expression) that uses the "source" field as the source-key.

Next go to Settings --> Fields --> Field Extractions and create a new extraction, being sure to set the "Type" to Transform and using the Transform you created above.

Be sure to put both of these in the correct app.

0 Karma

wpreston
Motivator

@sbbadri beat me to it 🙂

0 Karma

namrithadeepak
Path Finder

Thankyou very much

0 Karma

sbbadri
Motivator

Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source

Fields » Field extractions » Add new

Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above

I hope this helps

mattymo
Splunk Employee
Splunk Employee

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions#Add_n...

Badri nailed it. Here are the docs that walk you through it. This will be the same thing as configuring directly via the conf files.

Also remember that you don't need the field names in the capture groups if you use the transforms method.

Some real good reading here too:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#GLOBAL_SETTINGS

- MattyMo
0 Karma

namrithadeepak
Path Finder

Thankyou 🙂
Worked beautifully.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

You can use rex but it will only apply at search time

Example:

... | rex field=source <REGEX>

0 Karma

namrithadeepak
Path Finder

I want to define it as an extracted field.

I am going to using field1 and field2 in summary indexes, and I do not want to include regex in summary index.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...