You know, it would be great if the reference page in the online manual for "rex" indicated your answer. ... View more

Splunk doc team: why can't you permalink your docs?    Current (2023/q1) docs: https://docs.splunk.com/Documentation/Splunk/9.0.4/Alert/EmailNotificationTokens ... View more

Your answer from 2020 was very unclear, less clear than the documentation. OK, so here goes: Splunk provides a fascinating way to search and report on log data, and promises simplicity in various use-cases. One (would think) extremely common use-case is for users in the enterprise edition to create custom regular expressions in order to extract values from select log lines, and then do various things with those extracted values.  The documentation and GUI lead one to think one can create a python-perl extended regex to extract such fields. However, instead of then being able to _use_ such a regex, the user must _save_ it somehow with a name. And then the documentation goes off in the weeds without any explanation as to how to _use_ such saved extractions. There's lots of discussion about props.conf and transforms.conf, but this appears to predate the enterprise edition, in which ordinary users do not have such godlike powers over a centralized, enteprise splunk deployment. So as simply as possible, please tell me what additional steps an ordinary user within an Splunk enterprise deploymnet must take in order to create searches and then later reports and alerts using saved field-extractions. ... View more

Not a useful answer. The question concerned a field extractor, not a transform. Are you implying that the ONLY way Splunk can use a field-extractor is to first create a transform? Pity, since that seems beyond the scope of an ordinary user. ... View more