Manage search-time field extractions
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Manage search-time field extractions
Use the Field extractions page in Manager to manage search-time field extractions that have been made through interactive field extractions (IFX) in Splunk Web or changes to conf files. The Field extractions page enables you to:
- Review the overall set of extractions that you have created or which your permissions enable you to see, for all Apps in your instance of Splunk.
- Update the role-based permissions for the extracted field. This is especially important for IFX field extractions, because they are only available to their creators until the permissions are updated.
- Update the regex for inline transactions that have been defined in
props.conf. - Add or delete named extractions that have been defined in
transforms.conf - Delete field extractions that you have created, or for which you have write permissions.
Navigate to the Field extractions page by selecting Manager > Field extractions.
Reviewing search-time field extractions in Manager
To better understand how the Field extractions page in Manager displays your extracted field, it helps to understand how field extractions are set up in your props.conf and transforms.conf files. The method for defining field extractions in props.conf is discussed in "Add fields at search time" in this manual.
Field extractions can also be set up as transforms in transforms.conf. For more information about how this is done see the specs for the transforms.conf and props.conf files in the Admin manual.
Name column
The Name column in the Field extractions page displays the overall name of the field extraction, as it appears in props.conf. The format is:
<spec> : [EXTRACT-<class> | REPORT-<value>]
-
<spec>can be:-
<sourcetype>, the source type of an event. -
host::<host>, where<host>is the host for an event. -
source::<source>, where<source>is the source for an event.
-
EXTRACT-<class> field extractions are extractions that are wholly defined in props.conf. They are created automatically by field extractions made through IFX and certain search commands. You can also add them by making direct updates to the props.conf file. This kind of extraction is always associated with a regular expression, which appears in the Extraction column.
REPORT-<value> field extractions are linked to stanzas in transforms.conf, which is where their regular expressions are located.
Type column
There are two field extraction types: inline and transforms.conf.
- Inline extractions are often defined inline in Splunk Web through IFX or search commands, though they can be created through configuration file updates as well. Inline extractions always have
EXTRACT-<class>name configurations, and are always defined in theprops.conffile. - Transforms.conf extractions are defined manually in
transforms.confandprops.conf. Transforms.conf extractions also always haveREPORT-<value>name configurations.
Expression column
In the Expression column, Manager displays different things depending on the field extraction type.
- For inline extractions, Manager displays the regular expression that Splunk uses to extract the field. The named group (or groups) within the regex show you what field(s) it extracts.
- In the case of transforms.conf extractions, Manager displays the name of the
transforms.conffield extraction stanza (or stanzas) that the field extraction is linked to throughprops.conf. For example, the Expression column could display two values for an extraction: access-extractions and ip-extractions. These may appear inprops.confas:
[access_combined] REPORT-access = access-extractions ip-extractions
In this example, access-extractions and ip-extractions are both names of field extraction stanzas in transforms.conf. Each stanza contains a regex that is used to extract one or more fields.
Update field extractions
You can edit the values displayed in the Expression column for any field extraction. Click the name of the field extraction that you want to edit to have Splunk open the details page for that field extraction. You can edit the regular expressions of inline extractions, and add or delete stanza names from transforms.conf field extractions.
Note: Transforms.conf field extractions must include at least one valid transforms.conf field extraction stanza name.
Update field extraction permissions
When a field extraction is created through an inline method (such as IFX or a search command) it is initially only available to its creator. To make it so that other users can use the field extraction, you need to update its permissions. To do this, locate the field extraction on the Field extractions page and select its Permissions link. This opens the standard permission management page used in manager for knowledge objects (such as saved searches, event types, search macros, and navigation menus).
On this page you can set up the role-based permissions for the field extraction, and determine whether it is available to users of one specific App, or globally to users of all Apps.
Delete field extractions
On the Field extractions page in Manager, you can delete field extractions if your permissions enable you to do so. Click Delete for the field extraction that you want to remove.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.