I created a field extractor for different fields for an event. Now I would like to search all the events from a source and apply that field extractor to see the fields that I'm interested in. The field extractor seems to appear, but I don't know how to apply that into my search. I've tried REPORT- but no luck. How can I apply a field extractor already created into a search ?
extract command. For example, if you have a field extractor in a stanza in transforms.conf called "foo" then you would use it this way.
<your base search> | extract foo | ...
it cannot be done. Splunk is stupid and non-intuitive or maybe they want to sell professional services like ITRS does,it cannot be done the way you want it. you have to plunk down the regex in its entirety.
Splunk is stupid and non-intuitive or maybe they want to sell professional services like ITRS does
Except they do sell PS and stay busy helping people who won't read the manual or for whatever reason can't find the time to.
Each field extraction is applied to a sourcetype generally. The extractions are only going to work on the sourcetypes they've been setup for, and only in the apps they've been configured in (unless the extraction is set to global sharing), and only for those users who have read permission on the app they are found in.
It's complicated, but only if you don't take the time to study the material and your environment first.
I have the same issue here. And I cannot access the transforms.conf file (or the server's file system at all) to get the Stanza of my field extractor.
In the Splunk Web-UI in the field extractions overview, the name of my field extractor is like my_sourcetype : EXTRACT-my_new_field.
Is there any other way to derive the Stanza through the Splunk Web-UI?
Late to the party, but yes this can be done using the UI. But you need to understand the differences in the various possible field extractions that can be configured in props.conf.
EXTRACTis an inline search time regex field extraction that is not linked to transforms.conf
REPORTis a search time field extraction that is linked to transforms.conf
TRANSFORMSis a index-time/parsing field extraction
since you have an
EXTRACT option configured there is no transforms.conf stanza linked.
An example for a
REPORT option is the default field extraction of
splunk_web_access which you can see using this URI:
The transform stanza name will be
access-extractions which in turn could be used with the
extract command like this:
<your base search> | extract access-extractions | ...
Hope this helps ...
I'm even more late to the party, but am running in somewhat of a similar situation. I have new data coming in via syslog, but no fields are auto extracted. So, I'm using REPORT to extract them. I have the stanza ready, but I placed it in the Heavy forwarder by mistake. Should I place it in the props on the search head or the Indexer for the change to work.