Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Apply field extraction to source field

namrithadeepak
Path Finder
‎07-17-2017 08:22 AM

Hi,

I need to extract a few fields from the 'source' field.

I do not have access to props.conf.

Is there anyway of doing this extraction from the Splunk Search Head UI? (as I do not have access to change props.conf)

Thanks,
Namritha

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-17-2017 08:46 AM

Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source

Fields » Field extractions » Add new

Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above

I hope this helps

View solution in original post

Reply
Solved! Jump to solution

wpreston
Motivator
‎07-17-2017 08:58 AM

If you go to Settings --> Fields --> Field Transformations, you can create a field transform (a field extracting regular expression) that uses the "source" field as the source-key.

Next go to Settings --> Fields --> Field Extractions and create a new extraction, being sure to set the "Type" to Transform and using the Transform you created above.

Be sure to put both of these in the correct app.

0 Karma
Reply
Solved! Jump to solution

wpreston
Motivator
‎07-17-2017 08:59 AM

@sbbadri beat me to it 🙂

0 Karma
Reply
Solved! Jump to solution

namrithadeepak
Path Finder
‎07-18-2017 02:10 PM

Thankyou very much

0 Karma
Reply
Solved! Jump to solution
Solution

sbbadri
Motivator
‎07-17-2017 08:46 AM

Fields » Field transformations » Add new
Name : tranfroms name
Type: regex-based
Regular expression: your regular
Format: your field name::$1
Source key: source

Fields » Field extractions » Add new

Name : extraction name
sourcetype : give your sourcetyp
Type: Use transform
Extraction/Transform: transform name mentioned above

I hope this helps

Reply
Solved! Jump to solution

mattymo
Splunk Employee
Splunk Employee
‎07-17-2017 08:49 AM

http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions#Add_n...

Badri nailed it. Here are the docs that walk you through it. This will be the same thing as configuring directly via the conf files.

Also remember that you don't need the field names in the capture groups if you use the transforms method.

Some real good reading here too:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf#Field_extraction_configuration
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf#GLOBAL_SETTINGS

- MattyMo
0 Karma
Reply
Solved! Jump to solution

namrithadeepak
Path Finder
‎07-18-2017 02:10 PM

Thankyou 🙂
Worked beautifully.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎07-17-2017 08:24 AM

You can use rex but it will only apply at search time

Example:

... | rex field=source <REGEX>

0 Karma
Reply
Solved! Jump to solution

namrithadeepak
Path Finder
‎07-17-2017 08:32 AM

I want to define it as an extracted field.

I am going to using field1 and field2 in summary indexes, and I do not want to include regex in summary index.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...