Splunk Search

How do I create my own field based on events returned from a search?

kvsajay213
New Member

I have Event Output below

RPT: /DailyTestReport

I want to create a field as RPT and Field value as "/DailyOperation Reports ".

0 Karma

sk314
Builder

You could use rex on _raw field like so:

<your sourcetype> | rex field=_raw "RPT: (?<RPT>\w+)"

A better way would be to get your field extractions specified in props.conf and transforms.conf. Have a look at the documentation at the following link:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Aboutfields

0 Karma

stephane_cyrill
Builder

Hi there are many ways :
lets do IFX.
1-from the result of your search.click the arrow to the left of timestamp of an event.
2-select EXTRACT FIELD under EVENT ACTION
3-the IFX opens in a new window, EXTRACT FIELDS.
4-Now it depending on the splunk version,the UI will be different. but in 6.2... there are steps.
5- at the first or the 2nd step, where you have a sample event, SELECT THE STRING you consider as value, a text box will be open and PUT THE NAME OF THE FIELD.
6-after that follow carefully the other steps ......

for other ways see:
docs.splunk.com/Documentation/Splunk/6.2.2/Knowledge/Managesearch-timefieldextractions

0 Karma

jtrucks
Splunk Employee
Splunk Employee

Use a field transformation to extract both the filename and the value.

See both:

http://docs.splunk.com/Documentation/Splunk/6.2.2/Admin/Transformsconf

and

http://answers.splunk.com/answers/214487/can-i-extract-a-field-with-a-regexed-dynamic-field.html

--
Jesse Trucks
Minister of Magic

jtrucks
Splunk Employee
Splunk Employee

You can access this via Splunkweb under settings -> fields -> field transformations, as well. Otherwise, you could do dances around with rex as well.

--
Jesse Trucks
Minister of Magic
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...