Splunk Search

why fields should be extracted from raw data in splunk?

saibhaskarammu
New Member

why we need to extract fields from machine data?

Tags (1)
0 Karma

woodcock
Esteemed Legend

You only need fields if you need to access specific data inside of your events. If you only need raw volume counts, then you don't need fields. You need fields if you need fields.

0 Karma

woodcock
Esteemed Legend

How else are you going to launch all ZIGs?

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

Fields are the building blocks of searches, reports, and data models in Splunk Enterprise. When you run a search on your event data, Splunk Enterprise looks for fields in that data.

Splunk automatically extracts fields - at least the default fields which are host,source,sourcetype. If the auto extracted fields are not enough for you to perform a search effectevely, you have to extract fields manually either at index time or at search time ( Field Extraction )

To use the power of Splunk Enterprise search, create additional field extractions. Custom field extractions allow you to capture and track information that is important to your needs, but which is not automatically discovered and extracted by Splunk Enterprise. Any field extraction configuration you provide must include a regular expression that tells Splunk Enterprise how to find the field that you want to extract.

All field extractions, including custom field extractions, are tied to a specific source, sourcetype, or host value. For example, if you create an ip field extraction, you might tie the extraction configuration for ip to sourcetype=access_combined.

Custom field extractions should take place at search time, but in certain rare circumstances you can arrange for some custom field extractions to take place at index time

Refer :
http://docs.splunk.com/Documentation/Splunk/6.0.7/SearchTutorial/Usefieldstosearch
http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Aboutfields

Happy Splunking!
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...