Automatically extracting field at search time

rahiparikh · ‎06-16-2011

Hi,

Previously I was searching and extracting field at search time by explicitly specifying rex command. Now, I want to do the same thing but I want splunk to understand that I want "that" field extracted when relevant data is searched. How can I do using manager? ( Also, I do wish to keep it general i.e. not based on any source or something similar. )

My previous query was -

* | rex "(?<authentication_type>(?i)(password))"

Now, I want to do something like this -

* authentication_type=password

Thanks, Rahil

Ayn · ‎06-20-2011

Use the interactive field extractor.

http://www.splunk.com/base/Documentation/latest/User/InteractiveFieldExtractionExample

Ayn · ‎06-20-2011

If the IFX creates an invalid extraction you can just specify your own regex that you know works.

rahiparikh · ‎06-20-2011

Hi,

I already tried that but in IFE it extracts some not required results. 😞

Though.. Thanks!

mw · ‎06-16-2011

Manager -> Fields -> Field Extractions

You can basically paste a rex regex into the new extraction. However, an extraction must target a source, sourcetype, or host. I suppose you could set the source value to "*" though.

Reading up on props.conf will give you some insight into this: http://www.splunk.com/base/Documentation/latest/admin/Propsconf

rahiparikh · ‎06-20-2011

Hi

Thanks for the reply. I am unable to extract the field the way you specified using Manager.

Automatically extracting field at search time

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...