Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

specifying field in Field Extraction

Rabbit
Loves-to-Learn
‎07-24-2021 02:35 PM

in search, w/ rex command I can specify which field I want to apply the Regex as following example
| rex field=event "My Custom regex...."

But if I want to register the same regex in Field Extraction option (to have it reusable object w/ my team) I don't see any option to specify the field. I assume it register it to entire _raw as default. 

Any idea if I can specify the field when I create a Field with "Field Extraction" ?

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎07-24-2021 03:47 PM

Can you save it as a macro that your team can reuse?

0 Karma
Reply

Rabbit
Loves-to-Learn
‎07-24-2021 08:37 PM

We're planning to have custom fields so people can directly search by those fields.  Field Extraction works well only concern of mine is not able to specify the fields which can cause performance difficulties.

I assume there is a difference between parsing from only the event versus from entire _raw.  

Also, I don't want to force developers to use back tick character for macro(s).

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2021 01:23 AM

Hi @Rabbit,

yes, putting a regex in field extractor it search in all _raw,

but you can limit the search to an already extracted field (the same thing of field=event in rex command) adding "in event" (without quotes obviously) at the end of the expression, in other words,  please try to put this expression in field extractor:

My Custom regex.... in event

Ciao.

Giuseppe

0 Karma
Reply

Rabbit
Loves-to-Learn
‎07-25-2021 12:26 PM

Thanks for the quick reply

But queries return nothing if in event part is added at the end of the line,  after removing it they start working again.

btw, I tried to put entire Regex in quotes then in event part (as u can see in screenshot), and w/o quotes but nothing changed.

Rabbit_0-1627241285809.png

 

 

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-25-2021 11:13 PM

Hi @Rabbit,

could you share your regex and a sample of your logs?

I used many times "in fieldname" in my field extraction.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...