Hi,
I am new to Splunk, but I already like its features.
I was trying to extract a field from my loaded .csv file and I validated correctly (from sample event and then field value), but I do not know how to see it in the visualization or use it in a search.
I use easily boolean searches and concatenation with pipeline and sorting, but:
Could you tell me an example with a search which uses new extracted field (e.g I use in my file the Status field which has some string values)?
Thanks for any suggestion,
Skender
if you want to see the values of Status field use,
xxxxxxx status=*|stats count values(status) by host/sourcetype/source
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
if you want to see the values of Status field use,
xxxxxxx status=*|stats count values(status) by host/sourcetype/source
http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands
Sorry to ask, but when I created/extracted a new field, I thought I would see a new field when I go to all fields (Splunk Light version). Is it correct?
Skender
use the regular expression
hi,
I hope this can help you.
that is a example of using the regular expression to extract field
<row>
<table id="table1">
<title>Count number of HSR and SLA Hours by category: Between $time_range.earliest$ and $time_range.latest$</title>
<searchTemplate>index=tickets | rex "(?im)^\"\\d+\\-\\d+,\\d+\\-\\d+,(?P<HSR>[^,]+),(?P<SLA>[^,]+)" | rex "(?im)^(?:[^\\-\\n]*\\-){6}\\w+\\s+\\w+,\\d+,(?P<CATEGORY>[^,]+)" | stats count by CATEGORY</searchTemplate>
<earliestTime>$time_range.earliest$</earliestTime>
<latestTime>$time_range.latest$</latestTime>
<option name="wrap">true</option>
<option name="rowNumbers">false</option>
<option name="dataOverlayMode">none</option>
<option name="drilldown">row</option>
<option name="count">10</option>
</table>
</row>