Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to configure search-time fields

mburbidg
Explorer
‎01-19-2011 12:57 AM

I cannot find in the manual how to configure search-time field extraction. I would like to define some fields that apply across all sourcetype. I was told by a splunk trainer that you can't do that using the interactive field extraction tool but can do it in the configuration files.

Anyway I've search through the documentation and can't find either an example of description of how to do this.

0 Karma
Reply

southeringtonp
Motivator
‎01-19-2011 03:57 PM

Looks like you already figured out the first part, but just in case, here's a good reference:
     http://www.splunk.com/base/Documentation/latest/Knowledge/Createandmaintainsearch-timefieldextractio...

If you want the extraction to apply to all sourcetypes, then just create your entry in props.conf at the top of the file, outside of any stanza heading. Entries in the file that are not beneath a [stanza] header are considered to be global.

There's no way to do a wildcard like [log4j-*], at least as of Splunk 4.1. There are three main options:

  1. Define the extraction globally, putting your EXTRACT-xxx or REPORT-xxx line at the top of props.conf.
  2. Define the extraction multiple times, with a separate stanza for each sourcetype
  3. Define the extraction for sourcetype [log4j], and rename each log4j-xxx sourcetype. Going forward, manually assign the sourcetype so that you don't get the variations.

Option 3 is usually preferable.

0 Karma
Reply

mburbidg
Explorer
‎01-19-2011 02:13 AM

I discovered that if the sourcetype is log4j-100, which is a single instances of a set of rolling logs then the field shows up in the field picker and works. Can't I wildcard the sourcetype?

0 Karma
Reply

mburbidg
Explorer
‎01-19-2011 02:04 AM

I found the documentation in the knowledge worker manual. I put the following in etc/system/local/props.conf

[log4j*]
EXTRACT-magazineTitle = (?i) magazineTitle:(?P.+?)\s+\w+:

The extractions shows up in the fields manager, but when I do searches it does not show up in the field picker. Is that normal?

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...