Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is difference between report and field extraction?

jangid
Builder
‎07-23-2012 09:38 AM

What is the difference between REPORT- and FIELD-?

Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎08-10-2012 06:58 AM

REPORT- is a search time extraction
FIELDALIAS- creates an alias for an existing field name, so if you already had a field such as ComputerName automatically extracted from windows event logs, you could create an alias to change it to comp_name for example.

Where have you seen FIELD- ? Its not documented.

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎08-10-2012 06:58 AM

Ah, best bet is to just post a comment asking if anyone had any ideas to bump it back up the list 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎08-10-2012 06:58 AM

REPORT- is a search time extraction
FIELDALIAS- creates an alias for an existing field name, so if you already had a field such as ComputerName automatically extracted from windows event logs, you could create an alias to change it to comp_name for example.

Where have you seen FIELD- ? Its not documented.

Reply
Solved! Jump to solution

Drainy
Champion
‎08-13-2012 02:39 AM

ah, I would assume it was a typo. If it did work it is probably just short-hand for FIELDALIAS much like Splunk doesn't care if you use TRANSFORM or TRANSFORMS

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎08-13-2012 02:29 AM

Thanks Drainy, I don't know exactly where I saw but I am sure it was either in Splunkbase or Answers.

Anyway Now after your reply there is no meaning of my question.

Thanks Drainy

Reply
Solved! Jump to solution

jangid
Builder
‎08-10-2012 06:18 AM

Thanks Drainy,
my question is still open and unanswered. I didn't get any answer so thought better to close it because there is no delete option.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎08-10-2012 03:15 AM

If you're happy its been answered then all you need to do is click the tick next to the answer below to accept it 🙂 If you've answered it elsewhere, post it as your own answer and then you can accept that too. We keep closing questions for spam or duplicates

0 Karma
Reply
Solved! Jump to solution

sbrant_splunk
Splunk Employee
Splunk Employee
‎07-23-2012 11:36 AM

Are you referring to REPORT- and EXTRACT-? If so, the difference is that REPORT can reference one or more stanzas in transforms.conf while EXTRACT does not utilize transforms.conf (both are for search-time field extraction). It is explained in detail here, under the section "Field Extraction Configuration":

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Reply
Solved! Jump to solution

jangid
Builder
‎07-24-2012 02:09 AM

Thanks for your reply.
I mean REPORT- and FIELD-

0 Karma
Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...