Splunk Search

Tutorial for Field Extractor App?

krussell101
Path Finder

I would desperately like to use this application but it has out-smarted me.

Is there a video or some other sort of tutorial for first time users of this application?

Thanks!

0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/ 

View solution in original post

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In the manager of the UI you can to manager, fields, field extractions From there you can move them to an app, change permissions so they are within the appname/local by assigning them to the app in permissions, etc.

Depending on which app you were in when you did the extractions, in the shell you can go to $SPLUNK_HOME/etc/users/admin/appname/local

Please accept my answer if you can.

Thanks!

0 Karma

krussell101
Path Finder

Found it! Thanks again.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/ 

View solution in original post

0 Karma

krussell101
Path Finder

Interesting. yesterday evening I thought "I need to just suck it up and get better at reg exes." 🙂

Your approach is better than mine though. I like that it will build reg exes for me that I can manipulate.

Thanks.

One more question . . I've created a handful of extractions and wanted to see what they looked like in the config files. Docs say props.conf and/or transforms.conf. But I can't find my extractions anywhere. (This isn't the first time the docs point me to a config file and I find it empty.) Guidance hugely appreciated.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!