Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Creating new Field Extractions
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Creating new Field Extractions
I have a set of log data in Splunk Search app contained in source=sampledata,sourcetype=sample.
field1,field2,field3 are new fields that i added through the recievers REST endpoint
3/30/12
8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry
host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1
3/30/12
8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry
host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1
3/30/12
8:56:11.000 AM field1=Happy,field2=Sad,field3=Angry
host=myhost sourcetype=sample source=sampledata index=main timestamp=none splunk_server=L33604 punct==,=,= linecount=1
Lets say if i want to extract the fields: field1, field2 & field3 at search time, so i configured the say i am going to create new field exractions in $Splunk_HOME/users/admin/search/local/props.conf (props config file for search app)
What is the regex expression to extract each of these fields at search time(extracting the key value pairs during search time)? I thought it would be something like [\^$.|?*+()].
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to disable - extracting the fields based on key=value format in splunk, this is messing up my fields information, as i have defined columns in transform.conf file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default, Splunk will automatically extract the fields based on key=value format. the left of equal sign as field name and the right as its value.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As a parameter in the API call. Specifically, the rf parameter. More info here: http://docs.splunk.com/Documentation/Splunk/latest/RESTAPI/RESTsearches#Tips_on_creating_searches
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As in the search commands?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to specify the fields you want to be returned in your search request. Do that, and the fields you want will show up.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah. When i want to retrieve the results from the search as an XML through search/jobs/{search_id}/results endpoint the i want the field xml tags to have the new field names i have created.
For example i want to see something like this when i retrieve.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
