- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Not able to create a custom field from the manager...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not able to create a custom field from the manager pages
I am trying to create a custom field using Field-Extraction and Field-Transformation pages of Manager. I am providing a simple regular expression for key value pair with =.
Following are the settings done in transformation pages of manager.
Regular expression : ^(\\s|[^\s=]+)+\s|=?$
Source Key : _raw
Format : first::$1,second::$2
And attached it to search app.
In Field extraction pages, i have attached my test.txt file to the above transformation.
But the result is not as expected and shows the same results.
test data:
Name=Nagesh
The result should be Name:Nagesh
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If your test data contains
Name=Nagesh
Splunk will automatically extract a field called Name which contains the the value Nagesh. You need do nothing to configure that - unless you have assigned a sourcetype to this data which will prevent the automatic field extraction.
Field extraction does not change the existing data in anyway. Where did you expect to see "Name:Nagesh"? What is the sourcetype of the data?
Finally, I think that the syntax of your transformation entries is wrong.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In fact, you are wrong. Field extraction does not change the format of the data. It creates fields can be used in searches, reports and other commands.
If you really need to change the format of the data, be aware that this can only be done on inbound data as it is being parsed - and once the data is stored in the Splunk index, the format cannot be changed again. Here is how to do it using sed:
http://docs.splunk.com/Documentation/Splunk/4.2beta/Data/Anonymizedatausingconfigurationfiles#Throug...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The above data is just a sample data, the actual data is much different, this i have used here for testing purpose of how custom field extraction works.
"Field extraction does not change the existing data in anyway. Where did you expect to see "Name:Nagesh"? What is the sourcetype of the data?"
what does the
Format : first::$1,second::$2 represent in transforms.
I expected the data to be transformed into the above format. Am i wrong here?
the sourcetype is
sourcetype=ini-too_small
My file name is "test.ini"
The above sourcetype is autogenerated by the splunk.
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...
Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...
