Splunk Search

Tutorial for Field Extractor App?

krussell101
Path Finder

I would desperately like to use this application but it has out-smarted me.

Is there a video or some other sort of tutorial for first time users of this application?

Thanks!

0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/ 

View solution in original post

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In the manager of the UI you can to manager, fields, field extractions From there you can move them to an app, change permissions so they are within the appname/local by assigning them to the app in permissions, etc.

Depending on which app you were in when you did the extractions, in the shell you can go to $SPLUNK_HOME/etc/users/admin/appname/local

Please accept my answer if you can.

Thanks!

0 Karma

krussell101
Path Finder

Found it! Thanks again.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/ 
0 Karma

krussell101
Path Finder

Interesting. yesterday evening I thought "I need to just suck it up and get better at reg exes." 🙂

Your approach is better than mine though. I like that it will build reg exes for me that I can manipulate.

Thanks.

One more question . . I've created a handful of extractions and wanted to see what they looked like in the config files. Docs say props.conf and/or transforms.conf. But I can't find my extractions anywhere. (This isn't the first time the docs point me to a config file and I find it empty.) Guidance hugely appreciated.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

&#x1f342; Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...