Extract fields interactively

Extract fields interactively

In this example, we will use the Interactive Field Extractor (IFX) to teach Splunk how to extract IP addresses from your data.

Overview

For the IFX to learn how to extract a field, specify to which host, source, or source type the extraction should apply. Next, provide a few example values of the field you want to extract. The example values should be present in the samples events shown. IFX will then generate a regular expression, which you can edit, test, or save.

Note: Unless you hand edit the regular expression, IFX learns to extract only one field at a time.

Generate the regex

1. To access the IFX, first run a search that generates events containing the field values that you want to extract.

Because we're interested in extracting IP addresses, we can search for Apache access logs with:

2. From the results of the search, find an event that contains the field value; in this case, an IP address. Select "Extract fields" from the dropdown that appears beneath the timestamp for this result.

The IFX opens in a new window, Extract fields.

3. Select a host, source, or sourcetype value on which to restrict your field extraction.

This dropdown is populated with the field values from the event that you selected in step 2. If you want to choose a different host, source, or sourcetype value, close the window and select a different event in your search results or run a new search.

4. Enter example values of the field that you want Splunk to extract. You can copy and paste these values from the list of Sample events. For best results, give multiple examples.

Note: The list of Sample events is based on the event you selected from your search results and the field restriction you specified. If you change the field restriction, this list also changes; but it will still be based on the original event you selected.

5. Click Generate.

Splunk displays the regular expression pattern it generated to match your field values and a list of sample extractions based on the generated pattern.

If a sample extracted value does not match a value that you want to extract, click the grey (X) icon next to it to remove it. Splunk indicates that this is a value you do not want it to extract, by placing it under "Incorrect extractions". The IFX will updates the generated pattern to reflect this change. You can re-add any value after you remove it and reset the regex, just click the (+) icon next to it.

Before you save the new field, you can test the regex against a larger data set or edit the pattern manually.

Test the generated regex

To test the regex pattern that Splunk generates, click Test.

A new search window will open with a search that contains:

• your host, source, or sourcetype restriction, limited to first 10,000 results.
• the rex command run with the regex Splunk generated for your FIELDNAME, removing any duplicate occurrences of the field value.

Edit the generated regex

If you're familiar with writing regexes, you can edit the pattern manually after Splunk generates it.

Note: In editing the regex, there is no need to rename the extracted field from "FIELDNAME", as you can specify the name when you save the regex.

Save the extracted field

To save your new field, click Save.

In the "Save Field Extraction" window, give your new field a name.

Important: Splunk only accepts field names that contain alpha-numeric characters or an underscore:

• Valid characters for field names are a-z, A-Z, 0-9, or _ .
• Field names cannot begin with 0-9 or _ . (Leading underscores are reserved for Splunk's internal variables).

Important: Extractions created by a user, will be found in $SPLUNK_HOME/etc/users, and will be a function of the role a user has, with relationship to the app.

• Was this topic useful?
• Post a comment