Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a field out of matched search strings

skippylou
Communicator
‎09-04-2010 12:17 AM

So trying to figure out if using rex is the best way to do this.

When you search for say "blah one", in the resulting events, the matched text "blah one" is highlighted. I don't actually see any special field made out of this though (maybe there is a default one or something?).

What I'd like to do is for searches that have multiple ORs, like: "blah one" OR "blah two" OR "blah three", have a field called matched_text or something that contains the matched string for each event in the results.

Is using individual rex commands with each search string the best way or am I overlooking something obvious.

Thanks,

scott

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2010 02:00 AM

The highlighting behavior was designed for usability enhancement, whether or not a field existed, it highlights the matching text. You can trigger this behavior manually, if you want, with the |highlight command.

As for creating fields ad-hoc, on pattern matching, rex is the tool to use. |rex (?P<myfield>blah \w+)

View solution in original post

Reply
Solved! Jump to solution

skippylou
Communicator
‎09-06-2010 05:07 PM

Basically looking to see of the resulting events returned match against which set of search terms. So in the example above, how many events returned match "blah one", etc.

I figured rex was the way to go here, but wasn't sure if part of the process that splunk uses to highlight the matched search terms in the resulting events was exposed somehow.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 09:35 PM

It might be helpful to know what you ultimately want to do with this field.

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2010 02:00 AM

The highlighting behavior was designed for usability enhancement, whether or not a field existed, it highlights the matching text. You can trigger this behavior manually, if you want, with the |highlight command.

As for creating fields ad-hoc, on pattern matching, rex is the tool to use. |rex (?P<myfield>blah \w+)

Reply
Solved! Jump to solution

skippylou
Communicator
‎09-04-2010 03:55 AM

Thanks, rex it is then.

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...