Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Create a field out of matched search strings

skippylou
Communicator
‎09-04-2010 12:17 AM

So trying to figure out if using rex is the best way to do this.

When you search for say "blah one", in the resulting events, the matched text "blah one" is highlighted. I don't actually see any special field made out of this though (maybe there is a default one or something?).

What I'd like to do is for searches that have multiple ORs, like: "blah one" OR "blah two" OR "blah three", have a field called matched_text or something that contains the matched string for each event in the results.

Is using individual rex commands with each search string the best way or am I overlooking something obvious.

Thanks,

scott

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2010 02:00 AM

The highlighting behavior was designed for usability enhancement, whether or not a field existed, it highlights the matching text. You can trigger this behavior manually, if you want, with the |highlight command.

As for creating fields ad-hoc, on pattern matching, rex is the tool to use. |rex (?P<myfield>blah \w+)

View solution in original post

Reply
Solved! Jump to solution

skippylou
Communicator
‎09-06-2010 05:07 PM

Basically looking to see of the resulting events returned match against which set of search terms. So in the example above, how many events returned match "blah one", etc.

I figured rex was the way to go here, but wasn't sure if part of the process that splunk uses to highlight the matched search terms in the resulting events was exposed somehow.

0 Karma
Reply
Solved! Jump to solution

gkanapathy
Splunk Employee
Splunk Employee
‎09-05-2010 09:35 PM

It might be helpful to know what you ultimately want to do with this field.

0 Karma
Reply
Solved! Jump to solution
Solution

jrodman
Splunk Employee
Splunk Employee
‎09-04-2010 02:00 AM

The highlighting behavior was designed for usability enhancement, whether or not a field existed, it highlights the matching text. You can trigger this behavior manually, if you want, with the |highlight command.

As for creating fields ad-hoc, on pattern matching, rex is the tool to use. |rex (?P<myfield>blah \w+)

Reply
Solved! Jump to solution

skippylou
Communicator
‎09-04-2010 03:55 AM

Thanks, rex it is then.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...