Splunk Search

Can you help me with a problem I'm having parsing fields?

New Member

I'm new to parsing fields in splunk. And, in truth, I'm not great at regex yet. I'm trying to parse an event in Splunk like this.

[ EVENT_NUMBER = 4768 ]

That way my selected field is Event_Number and the value is 4768. I'm considering 2 options:

  1. Parsing the field with regex. But once that's accomplished i'm not sure what config types I'd need in Splunk.
  2. Identifying the field with a simple parse/transfrom config. Again not sure what I need to accomplish this.

Any advice on the best course of action is appreciated.


0 Karma


Hi TitanAE,
try to use the Splunk Field Extractor that guides you in field extraction without knowing Regexes.

You can access it in an easy way:

  • run a search,
  • identify an event wher there's the field you want to extract,
  • on this event, click on the ">" button on "i" column,
  • click on Event actions button and Extract Fields option,
  • Splunk opens a new window,
  • click on "Regular Expressions" button and then on "Next" button,
  • using your mouse select the value you want to extract,
  • add the field name and click on "Add extraction" button,,
  • check results and then "Next",
  • che if you need some exclusion and then "Next",
  • save your field (I suggest always in App),
  • "Finish"
  • usually you need ro reload page to have the field and don't fear if you don't see it immediately it needs a few time to be ready.


P.S. I suggest to study regexes: when you'll know them you'll use only them (personal experience)!

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...