How do I create my own field based on events retur...

kvsajay213 · ‎04-30-2015

I have Event Output below

RPT: /DailyTestReport

I want to create a field as RPT and Field value as "/DailyOperation Reports ".

sk314 · ‎04-30-2015

You could use rex on _raw field like so:

<your sourcetype> | rex field=_raw "RPT: (?<RPT>\w+)"

A better way would be to get your field extractions specified in props.conf and transforms.conf. Have a look at the documentation at the following link:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Aboutfields

stephane_cyrill · ‎04-30-2015

Hi there are many ways :
lets do IFX.
1-from the result of your search.click the arrow to the left of timestamp of an event.
2-select EXTRACT FIELD under EVENT ACTION
3-the IFX opens in a new window, EXTRACT FIELDS.
4-Now it depending on the splunk version,the UI will be different. but in 6.2... there are steps.
5- at the first or the 2nd step, where you have a sample event, SELECT THE STRING you consider as value, a text box will be open and PUT THE NAME OF THE FIELD.
6-after that follow carefully the other steps ......

for other ways see:
docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Managesearch-timefieldextractions

jtrucks · ‎04-30-2015

Use a field transformation to extract both the filename and the value.

See both:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Transformsconf

and

http://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html

--
Jesse Trucks
Minister of Magic

jtrucks · ‎04-30-2015

You can access this via Splunkweb under settings -> fields -> field transformations, as well. Otherwise, you could do dances around with rex as well.

--
Jesse Trucks
Minister of Magic

How do I create my own field based on events returned from a search?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes