All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the Field Extractor App not just show my events?

michealrp
Path Finder
‎02-15-2013 02:11 PM

One thing that I've noticed, and it may be something that I'm doing incorrectly, but when I search for an event containing, say, "connected from" and I get say 15 results, when I attempt to run the extraction on the results, it pulls everything else in as well. Often more than 1000 lines of information are shown without what I was searching specifically for, being available. The default Splunk extraction utility does the same thing.

For example, in our firewalls, we log packet teardown data as well as the vpn logins. So, if I issue "WEBvpn session started NOT Teardown" I end up with the results that I'm looking for, just the vpn session started events. Then, if I attempt use either the internal extraction utility OR this app, up to 1000 events, regardless if I'm using latest, diverse or outliers, I end up with all of the Teardown information clogging up the results.

Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎02-19-2013 09:48 AM

This is intentional.

In Splunk when you define a regular expression to extract a field, it has to "bind", or apply, to a source, a sourcetype, OR a host. So when you define a regex, it's going to apply to all the events of that source, sourcetype, or host (from which ever one you binded the regex), and not just the 15 that have the "connected from" text. As a result, we want you to see the effect of your regex on all the events it will apply to. If you only see the 15 events you have in mind, you'll not see the potentially disastrous effects it will have on other events.

That said, in the Field Extractor app, you can filter your events to just those that have a particular string (e.g., "connected from"), so that you can see the big picture and also focus in on particular events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎02-19-2013 09:48 AM

This is intentional.

In Splunk when you define a regular expression to extract a field, it has to "bind", or apply, to a source, a sourcetype, OR a host. So when you define a regex, it's going to apply to all the events of that source, sourcetype, or host (from which ever one you binded the regex), and not just the 15 that have the "connected from" text. As a result, we want you to see the effect of your regex on all the events it will apply to. If you only see the 15 events you have in mind, you'll not see the potentially disastrous effects it will have on other events.

That said, in the Field Extractor app, you can filter your events to just those that have a particular string (e.g., "connected from"), so that you can see the big picture and also focus in on particular events.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...