Splunk Search

I extracted a new field and validated it from a csv file. How do I see and use it for searches?

skender27
Contributor

Hi,

I am new to Splunk, but I already like its features.
I was trying to extract a field from my loaded .csv file and I validated correctly (from sample event and then field value), but I do not know how to see it in the visualization or use it in a search.
I use easily boolean searches and concatenation with pipeline and sorting, but:
Could you tell me an example with a search which uses new extracted field (e.g I use in my file the Status field which has some string values)?

Thanks for any suggestion,
Skender

Tags (3)
0 Karma
1 Solution

neelamssantosh
Contributor
0 Karma

neelamssantosh
Contributor

if you want to see the values of Status field use,

xxxxxxx status=*|stats count values(status) by host/sourcetype/source

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

0 Karma

skender27
Contributor

Sorry to ask, but when I created/extracted a new field, I thought I would see a new field when I go to all fields (Splunk Light version). Is it correct?

Skender

0 Karma

gyslainlatsa
Motivator

use the regular expression

0 Karma

gyslainlatsa
Motivator

hi,
I hope this can help you.
that is a example of using the regular expression to extract field

<row>
    <table id="table1">
      <title>Count number of HSR and SLA Hours by category: Between $time_range.earliest$ and $time_range.latest$</title>
      <searchTemplate>index=tickets | rex "(?im)^\"\\d+\\-\\d+,\\d+\\-\\d+,(?P&lt;HSR&gt;[^,]+),(?P&lt;SLA&gt;[^,]+)" | rex "(?im)^(?:[^\\-\\n]*\\-){6}\\w+\\s+\\w+,\\d+,(?P&lt;CATEGORY&gt;[^,]+)" | stats count  by CATEGORY</searchTemplate>
      <earliestTime>$time_range.earliest$</earliestTime>
      <latestTime>$time_range.latest$</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">10</option>
    </table>
  </row>
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...