Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I extracted a new field and validated it from a csv file. How do I see and use it for searches?

skender27
Contributor
‎04-27-2015 05:39 AM

Hi,

I am new to Splunk, but I already like its features.
I was trying to extract a field from my loaded .csv file and I validated correctly (from sample event and then field value), but I do not know how to see it in the visualization or use it in a search.
I use easily boolean searches and concatenation with pipeline and sorting, but:
Could you tell me an example with a search which uses new extracted field (e.g I use in my file the Status field which has some string values)?

Thanks for any suggestion,
Skender

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

neelamssantosh
Contributor
‎04-27-2015 08:18 AM

if you want to see the values of Status field use,

xxxxxxx status=*|stats count values(status) by host/sourcetype/source

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

neelamssantosh
Contributor
‎04-27-2015 08:18 AM

if you want to see the values of Status field use,

xxxxxxx status=*|stats count values(status) by host/sourcetype/source

http://docs.splunk.com/Documentation/Splunk/6.2.2/SearchReference/CommonStatsFunctions
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/ListOfSearchCommands

0 Karma
Reply
Solved! Jump to solution

skender27
Contributor
‎04-27-2015 09:08 AM

Sorry to ask, but when I created/extracted a new field, I thought I would see a new field when I go to all fields (Splunk Light version). Is it correct?

Skender

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-27-2015 09:36 AM

use the regular expression

0 Karma
Reply
Solved! Jump to solution

gyslainlatsa
Motivator
‎04-27-2015 05:55 AM

hi,
I hope this can help you.
that is a example of using the regular expression to extract field

<row>
    <table id="table1">
      <title>Count number of HSR and SLA Hours by category: Between $time_range.earliest$ and $time_range.latest$</title>
      <searchTemplate>index=tickets | rex "(?im)^\"\\d+\\-\\d+,\\d+\\-\\d+,(?P&lt;HSR&gt;[^,]+),(?P&lt;SLA&gt;[^,]+)" | rex "(?im)^(?:[^\\-\\n]*\\-){6}\\w+\\s+\\w+,\\d+,(?P&lt;CATEGORY&gt;[^,]+)" | stats count  by CATEGORY</searchTemplate>
      <earliestTime>$time_range.earliest$</earliestTime>
      <latestTime>$time_range.latest$</latestTime>
      <option name="wrap">true</option>
      <option name="rowNumbers">false</option>
      <option name="dataOverlayMode">none</option>
      <option name="drilldown">row</option>
      <option name="count">10</option>
    </table>
  </row>
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...