Splunk Search

Tutorial for Field Extractor App?

krussell101
Path Finder

I would desperately like to use this application but it has out-smarted me.

Is there a video or some other sort of tutorial for first time users of this application?

Thanks!

0 Karma
1 Solution

dmaislin_splunk
Splunk Employee
Splunk Employee

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/ 

View solution in original post

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

In the manager of the UI you can to manager, fields, field extractions From there you can move them to an app, change permissions so they are within the appname/local by assigning them to the app in permissions, etc.

Depending on which app you were in when you did the extractions, in the shell you can go to $SPLUNK_HOME/etc/users/admin/appname/local

Please accept my answer if you can.

Thanks!

0 Karma

krussell101
Path Finder

Found it! Thanks again.

0 Karma

dmaislin_splunk
Splunk Employee
Splunk Employee

Certainly if you are going to be using Splunk often, start learning regular expression is the best advice I can give you. I would recommend that you start small, like trying to extract a simple field. Here are some pointers...

... | erex date examples="7/01, 07/02" counterexamples="99/2"

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Erex

Then after some matches occur finalize your search and you will see a little area below the search that shows you the field extraction regular expression for the rex command. You can replace the erex command with the rex command that might look something like this:

... | rex field=_raw "Date:\s(?<date>\d+\/\d+)"

http://docs.splunk.com/Documentation/Splunk/4.3.3/SearchReference/Rex

Then, start using the default drop down triangle on the left of the log line to extract fields using the UI. Not much to it, simply copy examples, paste into the box, and save/name your field extraction.

Finally, you can use the field extraction app, best to select the advanced options so you can control where the field extraction saves, but overall, all these extraction apps do basic extractions that are greedy and can many times have false positives.

My recommendation is to practice with tools like these:

http://gskinner.com/RegExr/
http://regexhero.net/tester/
http://www.hongkiat.com/blog/regular-expression-tools-resources/ 
0 Karma

krussell101
Path Finder

Interesting. yesterday evening I thought "I need to just suck it up and get better at reg exes." 🙂

Your approach is better than mine though. I like that it will build reg exes for me that I can manipulate.

Thanks.

One more question . . I've created a handful of extractions and wanted to see what they looked like in the config files. Docs say props.conf and/or transforms.conf. But I can't find my extractions anywhere. (This isn't the first time the docs point me to a config file and I find it empty.) Guidance hugely appreciated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...