Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I extracted a new field and validated it from a csv file. How do I see and use it for searches?

skender27
Contributor
‎04-27-2015 05:39 AM

Hi,

I am new to Splunk, but I already like its features.
I was trying to extract a field from my loaded .csv file and I validated correctly (from sample event and then field value), but I do not know how to see it in the visualization or use it in a search.
I use easily boolean searches and concatenation with pipeline and sorting, but:
Could you tell me an example with a search which uses new extracted field (e.g I use in my file the Status field which has some string values)?

Thanks for any suggestion,
Skender

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neelamssantosh
Contributor
‎04-27-2015 08:18 AM

if you want to see the values of Status field use,

xxxxxxx status=*|stats count values(status) by host/sourcetype/source

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

neelamssantosh
Contributor
‎04-27-2015 08:18 AM

if you want to see the values of Status field use,

xxxxxxx status=*|stats count values(status) by host/sourcetype/source

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎04-27-2015 09:08 AM

Sorry to ask, but when I created/extracted a new field, I thought I would see a new field when I go to all fields (Splunk Light version). Is it correct?

Skender

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-27-2015 09:36 AM

use the regular expression

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-27-2015 05:55 AM

hi,
I hope this can help you.
that is a example of using the regular expression to extract field

<row>
    <table id="table1">
      <title>Count number of HSR and SLA Hours by category: Between $time_range.earliest$ and $time_range.latest$</title>
      <searchTemplate>index=tickets | rex "(?im)^\"\\d+\\-\\d+,\\d+\\-\\d+,(?P&lt;HSR&gt;[^,]+),(?P&lt;SLA&gt;[^,]+)" | rex "(?im)^(?:[^\\-\\n]*\\-){6}\\w+\\s+\\w+,\\d+,(?P&lt;CATEGORY&gt;[^,]+)" | stats count  by CATEGORY</searchTemplate>
      <earliestTime>$time_range.earliest$</earliestTime>
      <latestTime>$time_range.latest$</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">10</option>
    </table>
  </row>
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...