Splunk Search

How do I create my own field based on events returned from a search?

kvsajay213
New Member

I have Event Output below

RPT: /DailyTestReport

I want to create a field as RPT and Field value as "/DailyOperation Reports ".

0 Karma

sk314
Builder

You could use rex on _raw field like so:

<your sourcetype> | rex field=_raw "RPT: (?<RPT>\w+)"

A better way would be to get your field extractions specified in props.conf and transforms.conf. Have a look at the documentation at the following link:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Aboutfields

0 Karma

stephane_cyrill
Builder

Hi there are many ways :
lets do IFX.
1-from the result of your search.click the arrow to the left of timestamp of an event.
2-select EXTRACT FIELD under EVENT ACTION
3-the IFX opens in a new window, EXTRACT FIELDS.
4-Now it depending on the splunk version,the UI will be different. but in 6.2... there are steps.
5- at the first or the 2nd step, where you have a sample event, SELECT THE STRING you consider as value, a text box will be open and PUT THE NAME OF THE FIELD.
6-after that follow carefully the other steps ......

for other ways see:
docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Managesearch-timefieldextractions

0 Karma

jtrucks
Splunk Employee
Splunk Employee

jtrucks
Splunk Employee
Splunk Employee

You can access this via Splunkweb under settings -> fields -> field transformations, as well. Otherwise, you could do dances around with rex as well.

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>