Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to know the already extracted fields of any source type

sudarshan391
Path Finder
‎07-24-2017 03:29 AM

I uploaded a .csv file in two source types and forgot which fields i extracted and what name i given to extracted fields.
I used different names for same attribute in both source types.

is there a way to get know which name was given to which attribute while extracting fields?

0 Karma
Reply

niketn
Legend
‎07-24-2017 04:16 AM

@sudarshan391, You can run the following REST search in Splunk. Provided you have access.

| rest /serviceNS/-/-/props/extractions
| search eai.acl.app="<YourAppName>" AND author="<author>" AND stanza="<YourSourceType>"
| table attribute eai.acl.app stanza title type value author eai.acl.owner eai.acl.sharing eai.acl.perm.read eai.acl.perm.write

If you have a fixed App name and owner you can filter in the first query itself for example following looks at search app for admin owner:

| rest /serviceNS/admin/search/props/extractions

Since field extractions can be created based on source, host and sourcetype. Please use stanza filter to search for specific sourcetype, if you are aware that extractions have been created for specific sourcetype. Second pipe should be completely based on your needs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-24-2017 03:44 AM

Hi,
run
| inputlookup lookupname.csv
and see the fieldnames.
Bye.
Giuseppe

0 Karma
Reply

sudarshan391
Path Finder
‎07-24-2017 04:19 AM

Hi, thanks for your quick reply. i tried above query but the result is blank.

i replaced lookupname.csv with my csv file name. I also put the index and source type before the | inputlookup

I tried below queries but no success. am i doing something wrong? sorry i am new to splunk.

| inputlookup Feb-March-Apr-May.csv
index=created_ticket sourcetype=created_ticket | inputlookup Feb-March-Apr-May.csv

0 Karma
Reply

seancruikshanki
Explorer
‎07-24-2017 03:41 AM

Hi,

If you go into 'Settings > Fields > Field Extractions' then search for the sourcetypes you specified on upload it should return all the extractions present for those sourcetypes. The results should be in the format 'sourcetype : extraction name'.

0 Karma
Reply

sudarshan391
Path Finder
‎07-24-2017 04:27 AM

Hi, yes you are right it is showing the 'sourcetype : extraction name' but what i am looking is what is inside in those extraction. means i want to remember which fields i was extracted and what name i giving to those extracted fields.
Thanks for your reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top