Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field extraction using Splunk dashboard - appending constant text to an extracted field

jamesar
Explorer
‎11-23-2016 06:02 PM

I am wanting to extract a new field from the original source field, based on regex matches. I would then like to prepend/append some constant text to the extracted value. I would like to do this using the field transformation and field extraction dialogs in the Splunk web admin (alternatively I can also modify the light forwarder configs).

As an example, if the log file source contains the text "External", I would like to create a new field called "zone" with the value "Zone-External". I can achieve this via splunk search using the rex and eval commands, like the following:

Example source:
/opt/app/logs/CrowdCounting/cc_ip52_External-20161123.log

Dashboard query:
sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-".zone_extract

Using the field transformation/extraction admin dialogs, I can extract a field containing the matched text (i.e. zone=External), but I am unable to prepend/append any text to the value. Does anyone know how I can achieve this?

Alternatively, it would be also ok if I can do this via the splunkforwarder configs, however it appears this is not possible on a light forwarder. But I may be wrong?

Note: the data is ingested using a light universal splunkforwarder, and I am not able to modify the configs on the indexer at all.

Thanks,
Allan

Reply

woodcock
Esteemed Legend
‎03-11-2017 09:23 AM

Go to Settings -> Fields -> Field extractions -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Select inline from the type list and enter (?<zone_extract>External|OutsideCorner|Inside|FarSide) in the Extraction/Transform field.
Click Save.

Go to Settings -> Fields -> Calculated fields -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Enter zone in the Name box.
Enter "Zone-" + zone_extract in the Eval expression box.
Click Save.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-25-2016 01:10 AM

Hi jamesar.
try

sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-"+zone_extract

Bye.
Giuseppe

0 Karma
Reply

jamesar
Explorer
‎11-27-2016 04:22 PM

Hmm.. thanks for your effort Joseph. But as I said in the question, my search query listed in my question works correctly. However, I need to achieve this via the admin web interface (Field Transformations/Extractions pages) or alternatively via the Splunk light forwarder configs (although I don't think that is possible without modifying the configs on the Splunk indexer, which I do not have access to).

Thanks anyway,
Allan

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-28-2016 01:50 AM

Hi jamesar,
sorry, I didn't understand your need!
every way, you can use the admin web interface:

  • to extract the zone_extract field modifying regex with (?<zone_extract>External|OutsideCorner|Inside|FarSide) on source, or creating a new one with this regex;
  • create the "zone" field using calculated fields "Zone-"+zone_extract.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top