Splunk Search

What is difference between report and field extraction?

jangid
Builder

What is the difference between REPORT- and FIELD-?

1 Solution

Drainy
Champion

REPORT- is a search time extraction
FIELDALIAS- creates an alias for an existing field name, so if you already had a field such as ComputerName automatically extracted from windows event logs, you could create an alias to change it to comp_name for example.

Where have you seen FIELD- ? Its not documented.

View solution in original post

Drainy
Champion

Ah, best bet is to just post a comment asking if anyone had any ideas to bump it back up the list 🙂

0 Karma

Drainy
Champion

REPORT- is a search time extraction
FIELDALIAS- creates an alias for an existing field name, so if you already had a field such as ComputerName automatically extracted from windows event logs, you could create an alias to change it to comp_name for example.

Where have you seen FIELD- ? Its not documented.

Drainy
Champion

ah, I would assume it was a typo. If it did work it is probably just short-hand for FIELDALIAS much like Splunk doesn't care if you use TRANSFORM or TRANSFORMS

0 Karma

jangid
Builder

Thanks Drainy, I don't know exactly where I saw but I am sure it was either in Splunkbase or Answers.

Anyway Now after your reply there is no meaning of my question.

Thanks Drainy

jangid
Builder

Thanks Drainy,
my question is still open and unanswered. I didn't get any answer so thought better to close it because there is no delete option.

0 Karma

Drainy
Champion

If you're happy its been answered then all you need to do is click the tick next to the answer below to accept it 🙂 If you've answered it elsewhere, post it as your own answer and then you can accept that too. We keep closing questions for spam or duplicates

0 Karma

sbrant_splunk
Splunk Employee
Splunk Employee

Are you referring to REPORT- and EXTRACT-? If so, the difference is that REPORT can reference one or more stanzas in transforms.conf while EXTRACT does not utilize transforms.conf (both are for search-time field extraction). It is explained in detail here, under the section "Field Extraction Configuration":

http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf

surajsplunkd
Engager

Thanks this is more clear than others' answers. and that I how one should answer instead of playing around the question begging for Karma, Like Drainy 🙂

0 Karma

jangid
Builder

Thanks for your reply.
I mean REPORT- and FIELD-

0 Karma
Get Updates on the Splunk Community!

Security Highlights: September 2022 Newsletter

 September 2022 The Splunk App for Fraud Analytics (SFA) is now Splunk SupportedUse your existing Splunk ...

Platform Highlights | September 2022 Newsletter

 September 2022 What’s New in 9.0 and How to UpgradeGet a walk through of what is new Splunk Enterprise 9.0 ...

Observability Highlights | September 2022 Newsletter

 September 2022 Splunk Observability SuiteAccess to "Classic" SignalFx Interface Will be Removed on Sept 30, ...