Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I turn search terms into an extracted field?

saqibhome
Explorer
‎08-30-2018 01:46 PM

I would like to turn the seach terms into a extract field at the time of search. For e.g.

"search term 1" OR "search term 2" OR "search term 3"

Should become one extracted field. Is that possible in Splunk?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

saqibhome
Explorer
‎08-31-2018 10:48 AM

Figured it out. I am using the eval along with case to create the extracted field from the search terms. e.g.

"search term 1" OR "search term 2" OR "search term 3" | eval search_term=case(like(_raw, "%search term 1%"), "search term 1", like(_raw, "%search term 2%"), "search term 2",  like(_raw, "%search term 3%"), "search term 3")

search_term becomes the extracted field

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

saqibhome
Explorer
‎08-31-2018 10:48 AM

Figured it out. I am using the eval along with case to create the extracted field from the search terms. e.g.

"search term 1" OR "search term 2" OR "search term 3" | eval search_term=case(like(_raw, "%search term 1%"), "search term 1", like(_raw, "%search term 2%"), "search term 2",  like(_raw, "%search term 3%"), "search term 3")

search_term becomes the extracted field

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎08-30-2018 03:00 PM

i think what you are looking for is calls macros
read here:

https://docs.splunk.com/Splexicon:Searchmacro
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Searchmacroexamples

but maybe you mean eventtype.
read here:
http://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/Abouteventtypes

hope it helps

0 Karma
Reply
Solved! Jump to solution

mstjohn_splunk
Splunk Employee
Splunk Employee
‎08-30-2018 02:42 PM

@saqibhome , thanks for posting on Splunk Answers.

But @pyrowood is right. if you want get this answered, you need to add more context to your question. Our community won't be able to help you if they don't have enough information to understand your problem.

Please see our Answers manual to see how to appropriately ask a question on the site.

Reply
Solved! Jump to solution

horsefez
Motivator
‎08-30-2018 02:01 PM

What?

You need to give us more information about what you are trying to do. It's not very clear, sorry.

Do you have some sample events on your hands?
Maybe describe what your expected Output should look like.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...