Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Tutorial for Field Extractor App?

krussell101
Path Finder
‎07-24-2012 03:21 PM

I would desperately like to use this application but it has out-smarted me.

Is there a video or some other sort of tutorial for first time users of this application?

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 04:43 AM

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/

View solution in original post

0 Karma
Reply
Solved! Jump to solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 09:39 AM

In the manager of the UI you can to manager, fields, field extractions From there you can move them to an app, change permissions so they are within the appname/local by assigning them to the app in permissions, etc.

Depending on which app you were in when you did the extractions, in the shell you can go to $SPLUNK_HOME/etc/users/admin/appname/local

Please accept my answer if you can.

Thanks!

0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎07-25-2012 09:49 AM

Found it! Thanks again.

0 Karma
Reply
Solved! Jump to solution
Solution

dmaislin_splunk
Splunk Employee
Splunk Employee
‎07-25-2012 04:43 AM

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/
0 Karma
Reply
Solved! Jump to solution

krussell101
Path Finder
‎07-25-2012 09:34 AM

Interesting. yesterday evening I thought "I need to just suck it up and get better at reg exes." 🙂

Your approach is better than mine though. I like that it will build reg exes for me that I can manipulate.

Thanks.

One more question . . I've created a handful of extractions and wanted to see what they looked like in the config files. Docs say props.conf and/or transforms.conf. But I can't find my extractions anywhere. (This isn't the first time the docs point me to a config file and I find it empty.) Guidance hugely appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...