Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is difference between report and field extraction?

jangid
Builder
‎07-23-2012 09:38 AM

What is the difference between REPORT- and FIELD-?

Reply
1 Solution
Solved! Jump to solution
Solution

Drainy
Champion
‎08-10-2012 06:58 AM

REPORT- is a search time extraction
FIELDALIAS- creates an alias for an existing field name, so if you already had a field such as ComputerName automatically extracted from windows event logs, you could create an alias to change it to comp_name for example.

Where have you seen FIELD- ? Its not documented.

View solution in original post

Reply
Solved! Jump to solution

Drainy
Champion
‎08-10-2012 06:58 AM

Ah, best bet is to just post a comment asking if anyone had any ideas to bump it back up the list 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

Drainy
Champion
‎08-10-2012 06:58 AM

REPORT- is a search time extraction
FIELDALIAS- creates an alias for an existing field name, so if you already had a field such as ComputerName automatically extracted from windows event logs, you could create an alias to change it to comp_name for example.

Where have you seen FIELD- ? Its not documented.

Reply
Solved! Jump to solution

Drainy
Champion
‎08-13-2012 02:39 AM

ah, I would assume it was a typo. If it did work it is probably just short-hand for FIELDALIAS much like Splunk doesn't care if you use TRANSFORM or TRANSFORMS

0 Karma
Reply
Solved! Jump to solution

jangid
Builder
‎08-13-2012 02:29 AM

Thanks Drainy, I don't know exactly where I saw but I am sure it was either in Splunkbase or Answers.

Anyway Now after your reply there is no meaning of my question.

Thanks Drainy

Reply
Solved! Jump to solution

jangid
Builder
‎08-10-2012 06:18 AM

Thanks Drainy,
my question is still open and unanswered. I didn't get any answer so thought better to close it because there is no delete option.

0 Karma
Reply
Solved! Jump to solution

Drainy
Champion
‎08-10-2012 03:15 AM

If you're happy its been answered then all you need to do is click the tick next to the answer below to accept it 🙂 If you've answered it elsewhere, post it as your own answer and then you can accept that too. We keep closing questions for spam or duplicates

0 Karma
Reply
Solved! Jump to solution

sbrant_splunk
Splunk Employee
Splunk Employee
‎07-23-2012 11:36 AM

Are you referring to REPORT- and EXTRACT-? If so, the difference is that REPORT can reference one or more stanzas in transforms.conf while EXTRACT does not utilize transforms.conf (both are for search-time field extraction). It is explained in detail here, under the section "Field Extraction Configuration":

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

Reply
Solved! Jump to solution

jangid
Builder
‎07-24-2012 02:09 AM

Thanks for your reply.
I mean REPORT- and FIELD-

0 Karma
Reply
Get Updates on the Splunk Community!

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting

Splunk is excited to announce new releases that empower ITOps and engineering teams to stay ahead in ever ...
Top