Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I add a new field extraction using transforms?

circleup
Explorer
‎10-16-2016 09:14 PM

How do I add a new field extraction using the field transformations I've configured?

We're using Splunk Light Cloud. According to the docs (Knowledge Manager Manual > Use the Field extractions page), there should be an option to select "Uses transform" when adding a new field extraction.

But the only way I can figure out how to even add a field extraction is by clicking the "Open Field Extractor" button which takes me straight into the inline extraction wizard. That wizard provides no options to reference a transformation.

Am I missing something? Thanks!

0 Karma
Reply

lukejadamec
Super Champion
‎10-17-2016 03:38 AM

What are you trying to transform?

0 Karma
Reply

circleup
Explorer
‎10-17-2016 05:17 AM

Trying to do workaround 2) suggested here: https://answers.splunk.com/answers/453876/sourcetypes-with-docker-and-http-event-collector.html#answ....

0 Karma
Reply

TStrauch
Communicator
‎10-17-2016 03:33 AM

Hi,

try this.

Settings --> Fields --> Field extractions --> New --> Type (Dropdown) Select "Uses Transform".

You can use multiple Transforms separating them by comma.

regards

0 Karma
Reply

circleup
Explorer
‎10-17-2016 05:15 AM

Problem is I don't see any "New" option where I can select the "Type". That's certainly what the instructions sound like should be there.

Here's a screenshot of what I see: field extraction. The "Open Field Extractor" puts me directly into configuring an inline extraction, no option for transform.

0 Karma
Reply

TStrauch
Communicator
‎10-17-2016 11:31 AM

Ok i found a way you can do it.

Define your Tranforms.

Go to Data --> Sourcetypes --> Select the sourcetype on which you want to add the Transfomrations --> Click edit --> click advanced --> click "new setting"

Fill the first Field with "REPORT-yourreportname" and the second with "yourtransformationname"

this works. i tested it.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top