Hey All,
So, the field extractor in Splunk is working great. I can search by any of my custom fields. The only problem however seems to be that no matter what I do, it calls all of my custom fields "FIELDNAME".
I can't seem to find anything to quickly rename those, and I'm not familiar enough with the RegEx to rename it at extraction. Any chance someone can help?
-Travis
You are talking about the interactive field extractor built into Splunk, and not the Field Extractor app, I believe. The way to change the fieldname, is to SAVE the extraction, which pops up a dialogbox where you name the field.
You are talking about the interactive field extractor built into Splunk, and not the Field Extractor app, I believe. The way to change the fieldname, is to SAVE the extraction, which pops up a dialogbox where you name the field.
Please see the Splunk UI fiels-> field extraction. Choose the field. Change the names according to your requirement. Or you can also modify them in props.conf and restart to get them worked. Hope it helps. Thanks