Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a field out of matched search strings

skippylou
Communicator
‎09-04-2010 12:17 AM

So trying to figure out if using rex is the best way to do this.

When you search for say "blah one", in the resulting events, the matched text "blah one" is highlighted. I don't actually see any special field made out of this though (maybe there is a default one or something?).

What I'd like to do is for searches that have multiple ORs, like: "blah one" OR "blah two" OR "blah three", have a field called matched_text or something that contains the matched string for each event in the results.

Is using individual rex commands with each search string the best way or am I overlooking something obvious.

Thanks,

scott

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2010 02:00 AM

The highlighting behavior was designed for usability enhancement, whether or not a field existed, it highlights the matching text. You can trigger this behavior manually, if you want, with the |highlight command.

As for creating fields ad-hoc, on pattern matching, rex is the tool to use. |rex (?P<myfield>blah \w+)

View solution in original post

Reply
Solved! Jump to solution

skippylou
Communicator
‎09-06-2010 05:07 PM

Basically looking to see of the resulting events returned match against which set of search terms. So in the example above, how many events returned match "blah one", etc.

I figured rex was the way to go here, but wasn't sure if part of the process that splunk uses to highlight the matched search terms in the resulting events was exposed somehow.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 09:35 PM

It might be helpful to know what you ultimately want to do with this field.

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2010 02:00 AM

The highlighting behavior was designed for usability enhancement, whether or not a field existed, it highlights the matching text. You can trigger this behavior manually, if you want, with the |highlight command.

As for creating fields ad-hoc, on pattern matching, rex is the tool to use. |rex (?P<myfield>blah \w+)

Reply
Solved! Jump to solution

skippylou
Communicator
‎09-04-2010 03:55 AM

Thanks, rex it is then.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...