One thing that I've noticed, and it may be something that I'm doing incorrectly, but when I search for an event containing, say, "connected from" and I get say 15 results, when I attempt to run the extraction on the results, it pulls everything else in as well. Often more than 1000 lines of information are shown without what I was searching specifically for, being available. The default Splunk extraction utility does the same thing.
For example, in our firewalls, we log packet teardown data as well as the vpn logins. So, if I issue "WEBvpn session started NOT Teardown" I end up with the results that I'm looking for, just the vpn session started events. Then, if I attempt use either the internal extraction utility OR this app, up to 1000 events, regardless if I'm using latest, diverse or outliers, I end up with all of the Teardown information clogging up the results.
This is intentional.
In Splunk when you define a regular expression to extract a field, it has to "bind", or apply, to a source, a sourcetype, OR a host. So when you define a regex, it's going to apply to all the events of that source, sourcetype, or host (from which ever one you binded the regex), and not just the 15 that have the "connected from" text. As a result, we want you to see the effect of your regex on all the events it will apply to. If you only see the 15 events you have in mind, you'll not see the potentially disastrous effects it will have on other events.
That said, in the Field Extractor app, you can filter your events to just those that have a particular string (e.g., "connected from"), so that you can see the big picture and also focus in on particular events.
This is intentional.
In Splunk when you define a regular expression to extract a field, it has to "bind", or apply, to a source, a sourcetype, OR a host. So when you define a regex, it's going to apply to all the events of that source, sourcetype, or host (from which ever one you binded the regex), and not just the 15 that have the "connected from" text. As a result, we want you to see the effect of your regex on all the events it will apply to. If you only see the 15 events you have in mind, you'll not see the potentially disastrous effects it will have on other events.
That said, in the Field Extractor app, you can filter your events to just those that have a particular string (e.g., "connected from"), so that you can see the big picture and also focus in on particular events.