How do I add a new field extraction using transfor...

circleup · ‎10-16-2016

How do I add a new field extraction using the field transformations I've configured?

We're using Splunk Light Cloud. According to the docs (Knowledge Manager Manual > Use the Field extractions page), there should be an option to select "Uses transform" when adding a new field extraction.

But the only way I can figure out how to even add a field extraction is by clicking the "Open Field Extractor" button which takes me straight into the inline extraction wizard. That wizard provides no options to reference a transformation.

Am I missing something? Thanks!

lukejadamec · ‎10-17-2016

What are you trying to transform?

circleup · ‎10-17-2016

Trying to do workaround 2) suggested here: https://answers.splunk.com/answers/453876/sourcetypes-with-docker-and-http-event-collector.html#answ....

TStrauch · ‎10-17-2016

Hi,

try this.

Settings --> Fields --> Field extractions --> New --> Type (Dropdown) Select "Uses Transform".

You can use multiple Transforms separating them by comma.

regards

circleup · ‎10-17-2016

Problem is I don't see any "New" option where I can select the "Type". That's certainly what the instructions sound like should be there.

Here's a screenshot of what I see: . The "Open Field Extractor" puts me directly into configuring an inline extraction, no option for transform.

TStrauch · ‎10-17-2016

Ok i found a way you can do it.

Define your Tranforms.

Go to Data --> Sourcetypes --> Select the sourcetype on which you want to add the Transfomrations --> Click edit --> click advanced --> click "new setting"

Fill the first Field with "REPORT-yourreportname" and the second with "yourtransformationname"

this works. i tested it.

How do I add a new field extraction using transforms?

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023