Create fields via Splunk Web
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Create fields via Splunk Web
Use interactive field extration to create new fields dynamically via Splunk Web. Any search can be turned into one or more fields. You can use interactive field extraction on the local indexer; it is not supported when attempting to extract from a non-local event (in a distributed search environment).
Note: You cannot use a field you've extracted based on event types to define another event type or field.
To extract fields with Splunk Web:
1. Run a search in Splunk Web:
host=pearl2. Each event has a drop-down arrow under the timestamp. Click the drop-down arrow under the timestamp of any interesting event.
3. Choose Extract field. A dialog box pops up, allowing you to configure your field extraction rules:
- View the Sample Event dialog to see the event that you chose to extract fields from.
4. Enter values in the Example Value(s) dialog to tell Splunk what you want to extract as a field.
5. From the Rules section, select an event type, host, source, or sourcetype to restrict events you're extracting from.
6. Click Preview to show the rules (regular expressions under Generated rules) that Splunk uses to extract the example values. View the events Splunk extracted values from via the Preview window.
7. Select or de-select rules (Generated rules) or Preview extractions to alter the field extraction rule you want to create.
8. When you are satisfied with the results, click Save to save and name the field.
Important: Do not include spaces in your field name. Splunk may not format the regex (in transforms.conf properly for field names that contain spaces. Also, if you include non-alphanumeric characters in your field name, Splunk:
- Trims leading non-alphanumeric characters.
- Replaces other non-alphanumeric characters with an underscore.
You can now use the extracted field you just created in a search.
The field extraction action above will be stored in props.conf and transforms.conf in $SPLUNK_HOME/etc/system/local directory. In order to undo the field extracted, comment respective stanzas in props.conf and transforms.conf and restart Splunk.
This documentation applies to the following versions of Splunk: 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13 , 3.4.14 View the Article History for its revisions.