Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...
... | erex date examples="7/01, 07/02" counterexamples="99/2"
Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:
... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"
Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.
Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.
My recommendation is to practice with tools like these:
Interesting. yesterday evening I thought "I need to just suck it up and get better at reg exes." 🙂
Your approach is better than mine though. I like that it will build reg exes for me that I can manipulate.
One more question . . I've created a handful of extractions and wanted to see what they looked like in the config files. Docs say props.conf and/or transforms.conf. But I can't find my extractions anywhere. (This isn't the first time the docs point me to a config file and I find it empty.) Guidance hugely appreciated.
In the manager of the UI you can to manager, fields, field extractions From there you can move them to an app, change permissions so they are within the appname/local by assigning them to the app in permissions, etc.
Depending on which app you were in when you did the extractions, in the shell you can go to $SPLUNK_HOME/etc/users/admin/appname/local
Please accept my answer if you can.