Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Interactive field extractor sample data

khodges_splunk
Splunk Employee
Splunk Employee
‎12-05-2011 09:38 AM

Is there a way to control the sample data displayed in the IFX sample data? It is not selective enough for me to see values that I want to extract. So, I have to return to the search window first to find the data values I want.

Tags (1)
Reply

Drainy
Champion
‎12-05-2011 10:44 AM

Not that I know of but someone else might jump in and say otherwise. Sadly while the IFX is great for quick and dirty ways to perform field extractions it doesn't quite match the capabilities of creating your own extractions.

So, if you did want to create your own you essentially need to learn a little bit of regex which is easier than it sounds and then learn how to modify the transforms.conf and props.conf. Inside transforms you define regex extractions which splunk uses to look for fields within events and the names for those fields. In props you apply those transforms and you can be specific in applying these against particular sourcetypes, sources etc.

If you did want any help with specific regex's then feel free to reply back with more details. Oh and this site here is good for helping to learn and test regex's

Reply

whateverman
Explorer
‎03-04-2013 10:07 PM

yes, this is an issue I am having as well. Would be nice to have more control on the sample data.

0 Karma
Reply

rps462
Path Finder
‎07-12-2012 04:11 PM

It would be great if the IFX sample data that's shown could be based off the current search.

0 Karma
Reply

Drainy
Champion
‎12-10-2011 01:20 AM

No, but the sample data it extracts should usually be suitable. I guess you just have a large range of varied results? You could always do more specific searches and assign the same fieldnames to fields that the IFX won't match but are meant to be the same

0 Karma
Reply

khodges_splunk
Splunk Employee
Splunk Employee
‎12-05-2011 10:47 AM

Thanks for your response. Yes, using transforms and props, or even the rex command provide a great level of flexibility. But I was wondering if anyone knew a trick to be able to modify that sample data seen in IFX; for the reason you stated here.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...