Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Extract a Value from a Field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extract a Value from a Field
Terminology might be off, but I'll give the exact example:
"The session setup from computer 'NOCSERVER_A123' failed because the security....." and so on. This is a field called "Message" and I would like to assign "NOCSERVER_A123" to it's own field called Hostname. My intention is that when I search, my query returns just the Hostname, and not the entire "Message" field.
I've tried a few different things to no luck, and I believe the problem is I have a very basic grasp on how to achieve this. I would really appreciate if someone could clear up how to do this, and if possible, explain it a little or give me links to some documentation/tutorial pages. I feel like what I've been doing with the transform.conf and props.conf are incorrect.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You do this easily with props and transforms. Your props.conf will look something like this:
[host_from_message]
SOURCE_KEY = Message
REGEX = The session setup from computer '(.+)' failed because the security
FORMAT = hostname::"$1"
With a transforms.conf entry like:
[your_sourcetype]
REPORT-host_from_message = host_from_message
As @Ayn said, check the docs out. They are very helpful.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the docs explain it pretty well: http://docs.splunk.com/Documentation/Splunk/5.0.2/Knowledge/Addfieldsatsearchtime
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried defining a field extraction with regex?
Something like this might help you:
'(?
This would extract everything between two single quotes, that isn't a single quote into a field called "FIELD_NAME". You may have to escape the single quotes, I'm not 100% sure on that bit.
If your hostname isn't always contained within single quotes then you would have to play around with regex to identify the exact expression in which to extract your hostnames.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
How to find the worst searches in your Splunk environment and how to fix them
Share Your Feedback: On Admin Config Service (ACS)!
Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon
