Splunk Search
Highlighted

I extracted a new field and validated it from a csv file. How do I see and use it for searches?

Contributor

Hi,

I am new to Splunk, but I already like its features.
I was trying to extract a field from my loaded .csv file and I validated correctly (from sample event and then field value), but I do not know how to see it in the visualization or use it in a search.
I use easily boolean searches and concatenation with pipeline and sorting, but:
Could you tell me an example with a search which uses new extracted field (e.g I use in my file the Status field which has some string values)?

Thanks for any suggestion,
Skender

Tags (3)
0 Karma
Highlighted

Re: I extracted a new field and validated it from a csv file. How do I see and use it for searches?

Motivator

hi,
I hope this can help you.
that is a example of using the regular expression to extract field

<row>
    <table id="table1">
      <title>Count number of HSR and SLA Hours by category: Between $time_range.earliest$ and $time_range.latest$</title>
      <searchTemplate>index=tickets | rex "(?im)^\"\\d+\\-\\d+,\\d+\\-\\d+,(?P&lt;HSR&gt;[^,]+),(?P&lt;SLA&gt;[^,]+)" | rex "(?im)^(?:[^\\-\\n]*\\-){6}\\w+\\s+\\w+,\\d+,(?P&lt;CATEGORY&gt;[^,]+)" | stats count  by CATEGORY</searchTemplate>
      <earliestTime>$time_range.earliest$</earliestTime>
      <latestTime>$time_range.latest$</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">10</option>
    </table>
  </row>
0 Karma
Highlighted

Re: I extracted a new field and validated it from a csv file. How do I see and use it for searches?

Contributor
0 Karma
Highlighted

Re: I extracted a new field and validated it from a csv file. How do I see and use it for searches?

Contributor

Sorry to ask, but when I created/extracted a new field, I thought I would see a new field when I go to all fields (Splunk Light version). Is it correct?

Skender

0 Karma
Highlighted

Re: I extracted a new field and validated it from a csv file. How do I see and use it for searches?

Motivator

use the regular expression

0 Karma