Splunk Search

Not able to create a custom field from the manager pages

nageshreddy81
New Member

I am trying to create a custom field using Field-Extraction and Field-Transformation pages of Manager. I am providing a simple regular expression for key value pair with =.
Following are the settings done in transformation pages of manager.
Regular expression : ^(\\s|[^\s=]+)+\s|=?$
Source Key : _raw
Format : first::$1,second::$2
And attached it to search app.

In Field extraction pages, i have attached my test.txt file to the above transformation.
But the result is not as expected and shows the same results.

test data:

Name=Nagesh

The result should be Name:Nagesh

Tags (1)
0 Karma

lguinn2
Legend

If your test data contains

Name=Nagesh

Splunk will automatically extract a field called Name which contains the the value Nagesh. You need do nothing to configure that - unless you have assigned a sourcetype to this data which will prevent the automatic field extraction.

Field extraction does not change the existing data in anyway. Where did you expect to see "Name:Nagesh"? What is the sourcetype of the data?

Finally, I think that the syntax of your transformation entries is wrong.

0 Karma

lguinn2
Legend

In fact, you are wrong. Field extraction does not change the format of the data. It creates fields can be used in searches, reports and other commands.

If you really need to change the format of the data, be aware that this can only be done on inbound data as it is being parsed - and once the data is stored in the Splunk index, the format cannot be changed again. Here is how to do it using sed:
http://docs.splunk.com/Documentation/Splunk/4.2beta/Data/Anonymizedatausingconfigurationfiles#Throug...

0 Karma

nageshreddy81
New Member

The above data is just a sample data, the actual data is much different, this i have used here for testing purpose of how custom field extraction works.

"Field extraction does not change the existing data in anyway. Where did you expect to see "Name:Nagesh"? What is the sourcetype of the data?"

what does the
Format : first::$1,second::$2 represent in transforms.
I expected the data to be transformed into the above format. Am i wrong here?

the sourcetype is

sourcetype=ini-too_small
My file name is "test.ini"

The above sourcetype is autogenerated by the splunk.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...