Splunk Search

How do I add a new field extraction using transforms?

circleup
Explorer

How do I add a new field extraction using the field transformations I've configured?

We're using Splunk Light Cloud. According to the docs (Knowledge Manager Manual > Use the Field extractions page), there should be an option to select "Uses transform" when adding a new field extraction.

But the only way I can figure out how to even add a field extraction is by clicking the "Open Field Extractor" button which takes me straight into the inline extraction wizard. That wizard provides no options to reference a transformation.

Am I missing something? Thanks!

0 Karma

lukejadamec
Super Champion

What are you trying to transform?

0 Karma

circleup
Explorer
0 Karma

TStrauch
Communicator

Hi,

try this.

Settings --> Fields --> Field extractions --> New --> Type (Dropdown) Select "Uses Transform".

You can use multiple Transforms separating them by comma.

regards

0 Karma

circleup
Explorer

Problem is I don't see any "New" option where I can select the "Type". That's certainly what the instructions sound like should be there.

Here's a screenshot of what I see: field extraction. The "Open Field Extractor" puts me directly into configuring an inline extraction, no option for transform.

0 Karma

TStrauch
Communicator

Ok i found a way you can do it.

Define your Tranforms.

Go to Data --> Sourcetypes --> Select the sourcetype on which you want to add the Transfomrations --> Click edit --> click advanced --> click "new setting"

Fill the first Field with "REPORT-yourreportname" and the second with "yourtransformationname"

this works. i tested it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...