Splunk Search

How to extract a new field from 'source' (or others metadata) fields?

tcmarquesi
Explorer

I need to extract a field that is a substring from 'source' field. My intention was to use something like a regex in transforms.conf, but seems I can't do it because 'source' is metadata. So, once 'source' is not in raw event, what is the better (or only) way to do this extraction?

0 Karma
1 Solution

bshuler_splunk
Splunk Employee
Splunk Employee

SOURCE_KEY = MetaData:Source

View solution in original post

0 Karma

gcusello
Esteemed Legend

Hi bshuler [Splunk]
if you want to maintain the original source and create a new field, you could extract this field in your search

your_search | rex field=source "your_regex"

or using the web field extraction inserting in the regex

your_regex in source

Bye.
Giuseppe

0 Karma

bshuler_splunk
Splunk Employee
Splunk Employee

SOURCE_KEY = MetaData:Source

0 Karma

tcmarquesi
Explorer

Thank you!

I should had read more the docs before asking... lol

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

New Learning Videos on Topics Most Requested by You! Plus This Month’s New Splunk ...

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...