Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction using Field Extractor

gcusello
SplunkTrust
SplunkTrust
‎10-17-2016 03:47 AM

Hi at all,
I would extract a field as a part of source field and I know how to do this using rex command

| rex field=source "myregex"

but I'd like to configure this field once and not in all my searches.
I tried putting in field extractor 

field=source "myregex"

but there's something wrong!

Anyone has any idea?

Bye.
Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TStrauch
Communicator
‎10-17-2016 04:18 AM

Hi,

try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New

"myregex" in source

looks something like this then.

(?<newfield>.*) in source

regards

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

TStrauch
Communicator
‎10-17-2016 04:18 AM

Hi,

try this. You cannot use the "Field Extractor" for this. Need to Settings --> Fields --> Field extractions --> New

"myregex" in source

looks something like this then.

(?<newfield>.*) in source

regards

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2016 04:38 AM

Perfect: without double quotes!
Thank you.
Bye.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-17-2016 04:12 AM

The field extractor looks in the entire event. It's equivalent to rex field=_raw "myregex". You'll have to adjust your 'myregex' string to extract the desired field from the whole event.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2016 04:17 AM

yes I know, but source field isn't in _row.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...