Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I add a new field extraction using transforms?

circleup
Explorer
‎10-16-2016 09:14 PM

How do I add a new field extraction using the field transformations I've configured?

We're using Splunk Light Cloud. According to the docs (Knowledge Manager Manual > Use the Field extractions page), there should be an option to select "Uses transform" when adding a new field extraction.

But the only way I can figure out how to even add a field extraction is by clicking the "Open Field Extractor" button which takes me straight into the inline extraction wizard. That wizard provides no options to reference a transformation.

Am I missing something? Thanks!

0 Karma
Reply

lukejadamec
Super Champion
‎10-17-2016 03:38 AM

What are you trying to transform?

0 Karma
Reply

circleup
Explorer
‎10-17-2016 05:17 AM

Trying to do workaround 2) suggested here: https://answers.splunk.com/answers/453876/sourcetypes-with-docker-and-http-event-collector.html#answ....

0 Karma
Reply

TStrauch
Communicator
‎10-17-2016 03:33 AM

Hi,

try this.

Settings --> Fields --> Field extractions --> New --> Type (Dropdown) Select "Uses Transform".

You can use multiple Transforms separating them by comma.

regards

0 Karma
Reply

circleup
Explorer
‎10-17-2016 05:15 AM

Problem is I don't see any "New" option where I can select the "Type". That's certainly what the instructions sound like should be there.

Here's a screenshot of what I see: field extraction. The "Open Field Extractor" puts me directly into configuring an inline extraction, no option for transform.

0 Karma
Reply

TStrauch
Communicator
‎10-17-2016 11:31 AM

Ok i found a way you can do it.

Define your Tranforms.

Go to Data --> Sourcetypes --> Select the sourcetype on which you want to add the Transfomrations --> Click edit --> click advanced --> click "new setting"

Fill the first Field with "REPORT-yourreportname" and the second with "yourtransformationname"

this works. i tested it.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...