Solved: Field Extractor Naming Everything "FIELDNAME".

tfitzgerald15 · ‎06-28-2013

Hey All,

So, the field extractor in Splunk is working great. I can search by any of my custom fields. The only problem however seems to be that no matter what I do, it calls all of my custom fields "FIELDNAME".

I can't seem to find anything to quickly rename those, and I'm not familiar enough with the RegEx to rename it at extraction. Any chance someone can help?

-Travis

carasso · ‎07-24-2013

You are talking about the interactive field extractor built into Splunk, and not the Field Extractor app, I believe. The way to change the fieldname, is to SAVE the extraction, which pops up a dialogbox where you name the field.

View solution in original post

carasso · ‎07-24-2013

You are talking about the interactive field extractor built into Splunk, and not the Field Extractor app, I believe. The way to change the fieldname, is to SAVE the extraction, which pops up a dialogbox where you name the field.

linu1988 · ‎06-28-2013

Please see the Splunk UI fiels-> field extraction. Choose the field. Change the names according to your requirement. Or you can also modify them in props.conf and restart to get them worked. Hope it helps. Thanks

Field Extractor Naming Everything "FIELDNAME".

Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users

Everything Community at .conf24!

Index This | I’m short for "configuration file.” What am I?