- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to know the already extracted fields of any so...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to know the already extracted fields of any source type
I uploaded a .csv file in two source types and forgot which fields i extracted and what name i given to extracted fields.
I used different names for same attribute in both source types.
is there a way to get know which name was given to which attribute while extracting fields?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sudarshan391, You can run the following REST search in Splunk. Provided you have access.
| rest /serviceNS/-/-/props/extractions
| search eai.acl.app="<YourAppName>" AND author="<author>" AND stanza="<YourSourceType>"
| table attribute eai.acl.app stanza title type value author eai.acl.owner eai.acl.sharing eai.acl.perm.read eai.acl.perm.write
If you have a fixed App name and owner you can filter in the first query itself for example following looks at search app for admin owner:
| rest /serviceNS/admin/search/props/extractions
Since field extractions can be created based on source, host and sourcetype. Please use stanza filter to search for specific sourcetype, if you are aware that extractions have been created for specific sourcetype. Second pipe should be completely based on your needs.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
run
| inputlookup lookupname.csv
and see the fieldnames.
Bye.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thanks for your quick reply. i tried above query but the result is blank.
i replaced lookupname.csv with my csv file name. I also put the index and source type before the | inputlookup
I tried below queries but no success. am i doing something wrong? sorry i am new to splunk.
| inputlookup Feb-March-Apr-May.csv
index=created_ticket sourcetype=created_ticket | inputlookup Feb-March-Apr-May.csv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
If you go into 'Settings > Fields > Field Extractions' then search for the sourcetypes you specified on upload it should return all the extractions present for those sourcetypes. The results should be in the format 'sourcetype : extraction name'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, yes you are right it is showing the 'sourcetype : extraction name' but what i am looking is what is inside in those extraction. means i want to remember which fields i was extracted and what name i giving to those extracted fields.
Thanks for your reply.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
