Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Field extraction using Splunk dashboard - appending constant text to an extracted field

jamesar
Explorer
‎11-23-2016 06:02 PM

I am wanting to extract a new field from the original source field, based on regex matches. I would then like to prepend/append some constant text to the extracted value. I would like to do this using the field transformation and field extraction dialogs in the Splunk web admin (alternatively I can also modify the light forwarder configs).

As an example, if the log file source contains the text "External", I would like to create a new field called "zone" with the value "Zone-External". I can achieve this via splunk search using the rex and eval commands, like the following:

Example source:
/opt/app/logs/CrowdCounting/cc_ip52_External-20161123.log

Dashboard query:
sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-".zone_extract

Using the field transformation/extraction admin dialogs, I can extract a field containing the matched text (i.e. zone=External), but I am unable to prepend/append any text to the value. Does anyone know how I can achieve this?

Alternatively, it would be also ok if I can do this via the splunkforwarder configs, however it appears this is not possible on a light forwarder. But I may be wrong?

Note: the data is ingested using a light universal splunkforwarder, and I am not able to modify the configs on the indexer at all.

Thanks,
Allan

Reply

woodcock
Esteemed Legend
‎03-11-2017 09:23 AM

Go to Settings -> Fields -> Field extractions -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Select inline from the type list and enter (?<zone_extract>External|OutsideCorner|Inside|FarSide) in the Extraction/Transform field.
Click Save.

Go to Settings -> Fields -> Calculated fields -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Enter zone in the Name box.
Enter "Zone-" + zone_extract in the Eval expression box.
Click Save.

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-25-2016 01:10 AM

Hi jamesar.
try

sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-"+zone_extract

Bye.
Giuseppe

0 Karma
Reply

jamesar
Explorer
‎11-27-2016 04:22 PM

Hmm.. thanks for your effort Joseph. But as I said in the question, my search query listed in my question works correctly. However, I need to achieve this via the admin web interface (Field Transformations/Extractions pages) or alternatively via the Splunk light forwarder configs (although I don't think that is possible without modifying the configs on the Splunk indexer, which I do not have access to).

Thanks anyway,
Allan

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎11-28-2016 01:50 AM

Hi jamesar,
sorry, I didn't understand your need!
every way, you can use the admin web interface:

  • to extract the zone_extract field modifying regex with (?<zone_extract>External|OutsideCorner|Inside|FarSide) on source, or creating a new one with this regex;
  • create the "zone" field using calculated fields "Zone-"+zone_extract.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...