- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Create a new field from a field-extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello:
I have an existing field name "filename" (extracted from Splunk) in this format abcdefg.000000AB.DDD01A222222222222222222.xml. I want to create a new field that extracts the characters in the position of "DDD01A" in the field above.
I do not want to lose the existing "filename" extraction - I want to add another column with the new value.
The Extract New Fields GUI did not work. Can someone please advise?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming that you want to do an automatic field extraction. This is possible by modifying the regex that is used for the field extraction. I'm going to assume that you have part of the regex that extract the filename field already in the regex. To do what you have described, modify the regex something like the following:
(?P<filename>\w+\.\w+\.(?P<new>\w{6})\w+\.xml)
This will allow the 6 character portion that you wanted to extract within the other field (filename). You haven't described the complete field extraction for either of the fields, so I'm just going by what is there as an example. You can find an example of this type of field extraction in my .conf2017 presentation:
http://conf.splunk.com/files/2017/slides/beyond-regular-regular-expressions-v20.pdf
It starts on slide 76 in the PDF. The video is also available at:
http://conf.splunk.com/files/2017/recordings/beyond-regular-regular-expressions-v2-point-0.mp4
That part of the presentation starts at 38:33. These are both going to initiate downloads.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, try this in a search and verify it pulls what you want.
| rex field=filename "^[^\.]*\.[^\.]*\.(?<mynewfield>.{6})"
Assuming that selects what you want, then in transforms.conf you want a stanza to extract your field...
[mynewfieldstanza]
SOURCE_KEY = filename
REGEX = ^[^\.]*\.[^\.]*\.(?<mynewfield>.{6})
FORMAT = mynewfield::$1
... and in props.conf in the stanza for the appropriate source type you need to tell the system to execute that stanza, after you execute whatever extracts filename.
That could be a line in the mysourcetype stanza that says,
[mysourcetype]
TRANSFORMS-foo1 myfilenamestanza
TRANSFORMS-foo2 mynewfieldstanza
or
REPORT_foo2 mynewfieldstanza
or
EXTRACT-foo2 mynewfieldstanza
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @DalJeanis
i am using a similar search to extract field from the "source" field.
my query is index=xyz sourcetype="abc" host="hostname" |rex field=source ".?\bxyz\b\/(?.?)\/"
But when i add the same extraction in the field extractions from the settings tab i add the expression as
field=source ".?\bxyz\b\/(?.?)\/"
when i do this the extraction doesnt work
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
|eval new=susbstr(filename,18,6)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the feedback!
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
