Splunk Search

Field extraction tool not showing whole event.

nocostk
Communicator

I'm trying to use the field extraction tool. The problem is that the field I want to extract is about 18 lines down and the field extraction tool is showing me about 15 lines. Is there a config option to allow more lines to be visible?

Tags (1)
0 Karma
1 Solution

carasso
Splunk Employee
Splunk Employee

The built-in Interactive Field Extractor (IFX) does indeed limit the display to 15 lines to prevent the browser from being abused.

There is a new field extractor tool, which is a separate 4.2 Splunk app. It will solve your problem. Among other improvements, it has an options dialog that allows you to specify the maximum lines per event to show.

http://splunkbase.splunk.com/apps/All/4.x/App/app:Field+Extractor

editor's note: Field Extractor App now at http://apps.splunk.com/app/494/, per below comment.

Some benefits of the new tool:

  • Hightlights new extractions as well as showing all existing extractions and fields.
  • Extract fields from other fields (e.g. pull out machine-type from host).
  • Edit extraction, Save, Text, and Delete new and existing extractions
  • Set permissions as public or private.
  • Supports multiple indexes, and system-wide or app-specific changes.
  • Supports multiple fields extracted from one regex.

The tool is still young and any feedback would be appreciated.

View solution in original post

0 Karma

carasso
Splunk Employee
Splunk Employee

The built-in Interactive Field Extractor (IFX) does indeed limit the display to 15 lines to prevent the browser from being abused.

There is a new field extractor tool, which is a separate 4.2 Splunk app. It will solve your problem. Among other improvements, it has an options dialog that allows you to specify the maximum lines per event to show.

http://splunkbase.splunk.com/apps/All/4.x/App/app:Field+Extractor

editor's note: Field Extractor App now at http://apps.splunk.com/app/494/, per below comment.

Some benefits of the new tool:

  • Hightlights new extractions as well as showing all existing extractions and fields.
  • Extract fields from other fields (e.g. pull out machine-type from host).
  • Edit extraction, Save, Text, and Delete new and existing extractions
  • Set permissions as public or private.
  • Supports multiple indexes, and system-wide or app-specific changes.
  • Supports multiple fields extracted from one regex.

The tool is still young and any feedback would be appreciated.

0 Karma

bwooden
Splunk Employee
Splunk Employee

Sadly, the link referenced in Carsso's answer is no longer active. Happily, the app is still on "Apps" @ http://apps.splunk.com/app/494/

0 Karma

avery2007
Explorer

Note the app seems to not have been updated since 2014, might be an issue with 8.0 update to Python 3.x

0 Karma

I-Man
Communicator

Make sure the drop down on the top left isn't filtering your selection. It should be showing you much more than 18 lines.

In my opinion, the field extractor doesn't work very well. A better option is to extract fields using rex.

http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Rex

Use rex field=_raw. Once i figured out how to do this I never found the need to use the field extractor again. Also, once you get a working regex working you can create a new field in the manager/fields to make it permanent. This was a little tricky at first so let me know if you get stuck and i can explain how to use it...if you decide to do so.

I-Man

0 Karma
Get Updates on the Splunk Community!

Announcing General Availability of Splunk Incident Intelligence!

Digital transformation is real! Across industries, companies big and small are going through rapid digital ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...