Splunk Search

specifying field in Field Extraction

Rabbit
Loves-to-Learn

in search, w/ rex command I can specify which field I want to apply the Regex as following example
| rex field=event "My Custom regex...."

But if I want to register the same regex in Field Extraction option (to have it reusable object w/ my team) I don't see any option to specify the field. I assume it register it to entire _raw as default. 

Any idea if I can specify the field when I create a Field with "Field Extraction" ?

Labels (2)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Can you save it as a macro that your team can reuse?

0 Karma

Rabbit
Loves-to-Learn

We're planning to have custom fields so people can directly search by those fields.  Field Extraction works well only concern of mine is not able to specify the fields which can cause performance difficulties.

I assume there is a difference between parsing from only the event versus from entire _raw.  

Also, I don't want to force developers to use back tick character for macro(s).

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rabbit,

yes, putting a regex in field extractor it search in all _raw,

but you can limit the search to an already extracted field (the same thing of field=event in rex command) adding "in event" (without quotes obviously) at the end of the expression, in other words,  please try to put this expression in field extractor:

My Custom regex.... in event

Ciao.

Giuseppe

0 Karma

Rabbit
Loves-to-Learn

Thanks for the quick reply

But queries return nothing if in event part is added at the end of the line,  after removing it they start working again.

btw, I tried to put entire Regex in quotes then in event part (as u can see in screenshot), and w/o quotes but nothing changed.

Rabbit_0-1627241285809.png

 

 

 

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Rabbit,

could you share your regex and a sample of your logs?

I used many times "in fieldname" in my field extraction.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...

Federated Search for Amazon S3 | Key Use Cases to Streamline Compliance Workflows

Modern business operations are supported by data compliance. As regulations evolve, organizations must ...