Your answer from 2020 was very unclear, less clear than the documentation. OK, so here goes: Splunk provides a fascinating way to search and report on log data, and promises simplicity in various use-cases. One (would think) extremely common use-case is for users in the enterprise edition to create custom regular expressions in order to extract values from select log lines, and then do various things with those extracted values. The documentation and GUI lead one to think one can create a python-perl extended regex to extract such fields. However, instead of then being able to _use_ such a regex, the user must _save_ it somehow with a name. And then the documentation goes off in the weeds without any explanation as to how to _use_ such saved extractions. There's lots of discussion about props.conf and transforms.conf, but this appears to predate the enterprise edition, in which ordinary users do not have such godlike powers over a centralized, enteprise splunk deployment. So as simply as possible, please tell me what additional steps an ordinary user within an Splunk enterprise deploymnet must take in order to create searches and then later reports and alerts using saved field-extractions.
... View more