Splunk Search

Field extraction using Splunk dashboard - appending constant text to an extracted field

jamesar
Explorer

I am wanting to extract a new field from the original source field, based on regex matches. I would then like to prepend/append some constant text to the extracted value. I would like to do this using the field transformation and field extraction dialogs in the Splunk web admin (alternatively I can also modify the light forwarder configs).

As an example, if the log file source contains the text "External", I would like to create a new field called "zone" with the value "Zone-External". I can achieve this via splunk search using the rex and eval commands, like the following:

Example source:
/opt/app/logs/CrowdCounting/cc_ip52_External-20161123.log

Dashboard query:
sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-".zone_extract

Using the field transformation/extraction admin dialogs, I can extract a field containing the matched text (i.e. zone=External), but I am unable to prepend/append any text to the value. Does anyone know how I can achieve this?

Alternatively, it would be also ok if I can do this via the splunkforwarder configs, however it appears this is not possible on a light forwarder. But I may be wrong?

Note: the data is ingested using a light universal splunkforwarder, and I am not able to modify the configs on the indexer at all.

Thanks,
Allan

woodcock
Esteemed Legend

Go to Settings -> Fields -> Field extractions -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Select inline from the type list and enter (?<zone_extract>External|OutsideCorner|Inside|FarSide) in the Extraction/Transform field.
Click Save.

Go to Settings -> Fields -> Calculated fields -> New
Select the app that should own this field extraction from the Destination app list.
Select sourcetype from the Apply to list and enter crowd_count in the named box.
Enter zone in the Name box.
Enter "Zone-" + zone_extract in the Eval expression box.
Click Save.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jamesar.
try

sourcetype=crowd_count | rex field=source "(?<zone_extract>External|OutsideCorner|Inside|FarSide)" | eval zone="Zone-"+zone_extract

Bye.
Giuseppe

0 Karma

jamesar
Explorer

Hmm.. thanks for your effort Joseph. But as I said in the question, my search query listed in my question works correctly. However, I need to achieve this via the admin web interface (Field Transformations/Extractions pages) or alternatively via the Splunk light forwarder configs (although I don't think that is possible without modifying the configs on the Splunk indexer, which I do not have access to).

Thanks anyway,
Allan

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi jamesar,
sorry, I didn't understand your need!
every way, you can use the admin web interface:

  • to extract the zone_extract field modifying regex with (?<zone_extract>External|OutsideCorner|Inside|FarSide) on source, or creating a new one with this regex;
  • create the "zone" field using calculated fields "Zone-"+zone_extract.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...