Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Interactive field extractor sample data

khodges_splunk
Splunk Employee
Splunk Employee
‎12-05-2011 09:38 AM

Is there a way to control the sample data displayed in the IFX sample data? It is not selective enough for me to see values that I want to extract. So, I have to return to the search window first to find the data values I want.

Tags (1)
Reply

Drainy
Champion
‎12-05-2011 10:44 AM

Not that I know of but someone else might jump in and say otherwise. Sadly while the IFX is great for quick and dirty ways to perform field extractions it doesn't quite match the capabilities of creating your own extractions.

So, if you did want to create your own you essentially need to learn a little bit of regex which is easier than it sounds and then learn how to modify the transforms.conf and props.conf. Inside transforms you define regex extractions which splunk uses to look for fields within events and the names for those fields. In props you apply those transforms and you can be specific in applying these against particular sourcetypes, sources etc.

If you did want any help with specific regex's then feel free to reply back with more details. Oh and this site here is good for helping to learn and test regex's

Reply

whateverman
Explorer
‎03-04-2013 10:07 PM

yes, this is an issue I am having as well. Would be nice to have more control on the sample data.

0 Karma
Reply

rps462
Path Finder
‎07-12-2012 04:11 PM

It would be great if the IFX sample data that's shown could be based off the current search.

0 Karma
Reply

Drainy
Champion
‎12-10-2011 01:20 AM

No, but the sample data it extracts should usually be suitable. I guess you just have a large range of varied results? You could always do more specific searches and assign the same fieldnames to fields that the IFX won't match but are meant to be the same

0 Karma
Reply

khodges_splunk
Splunk Employee
Splunk Employee
‎12-05-2011 10:47 AM

Thanks for your response. Yes, using transforms and props, or even the rex command provide a great level of flexibility. But I was wondering if anyone knew a trick to be able to modify that sample data seen in IFX; for the reason you stated here.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...