Splunk Search

How to apply a field extractor created to a search ?

Engager

I created a field extractor for different fields for an event. Now I would like to search all the events from a source and apply that field extractor to see the fields that I'm interested in. The field extractor seems to appear, but I don't know how to apply that into my search. I've tried REPORT- but no luck. How can I apply a field extractor already created into a search ?

Labels (2)

SplunkTrust
SplunkTrust

Use the extract command. For example, if you have a field extractor in a stanza in transforms.conf called "foo" then you would use it this way.

<your base search> | extract foo | ...
---
If this reply helps you, an upvote would be appreciated.

New Member

it cannot be done. Splunk is stupid and non-intuitive or maybe they want to sell professional services like ITRS does,it cannot be done the way you want it. you have to plunk down the regex in its entirety.
Splunk is stupid and non-intuitive or maybe they want to sell professional services like ITRS does

0 Karma

SplunkTrust
SplunkTrust

Except they do sell PS and stay busy helping people who won't read the manual or for whatever reason can't find the time to.

Each field extraction is applied to a sourcetype generally. The extractions are only going to work on the sourcetypes they've been setup for, and only in the apps they've been configured in (unless the extraction is set to global sharing), and only for those users who have read permission on the app they are found in.

It's complicated, but only if you don't take the time to study the material and your environment first.

Path Finder

I have the same issue here. And I cannot access the transforms.conf file (or the server's file system at all) to get the Stanza of my field extractor.
In the Splunk Web-UI in the field extractions overview, the name of my field extractor is like my_sourcetype : EXTRACT-my_new_field.
Is there any other way to derive the Stanza through the Splunk Web-UI?

0 Karma

SplunkTrust
SplunkTrust

Hi romanwaldecker,

Late to the party, but yes this can be done using the UI. But you need to understand the differences in the various possible field extractions that can be configured in props.conf.

  • EXTRACT is an inline search time regex field extraction that is not linked to transforms.conf
  • REPORT is a search time field extraction that is linked to transforms.conf
  • TRANSFORMS is a index-time/parsing field extraction

since you have an EXTRACT option configured there is no transforms.conf stanza linked.
An example for a REPORT option is the default field extraction of splunk_web_access which you can see using this URI:

 http[s]://YourSplunkServer:YourPort/en-GB/manager/launcher/data/props/extractions/splunk_web_access%20%3A%20REPORT-access?action=edit&ns=system&f_sort_key=value&f_sort_dir=asc&uri=%2FservicesNS%2Fnobody%2Fsystem%2Fdata%2Fprops%2Fextractions%2Fsplunk_web_access%2520%253A%2520REPORT-access

The transform stanza name will be access-extractions which in turn could be used with the extract command like this:

<your base search> | extract access-extractions | ...

Hope this helps ...

cheers, MuS

Contributor

Hello @MuS,

I'm even more late to the party, but am running in somewhat of a similar situation. I have new data coming in via syslog, but no fields are auto extracted. So, I'm using REPORT to extract them. I have the stanza ready, but I placed it in the Heavy forwarder by mistake. Should I place it in the props on the search head or the Indexer for the change to work.

Thank you,

0 Karma

SplunkTrust
SplunkTrust

Hi there, since you're using REPORT it has to go on the Search Head like written, explained above:

  • REPORT is a search time field extraction that is linked to transforms.conf

cheers, MuS

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!