Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

Field Extractor: Select Method step

In the Select Method step of the field extractor you can choose a field extraction method that fits the data you are working with.

The step displays your Source or Source type and your sample event. At the bottom of the step you see two field extraction methods: Regular expression and Delimiter.

Em FX select method step.png

1. Click the field extraction method that is appropriate for your data.

Click Regular Expression if the event that you have selected is derived from unstructured data such as a system log. The field extractor can attempt to generate a regular expression that matches similar events and extracts your fields.
Click Delimiters if the fields in your selected event are:
  • cleanly separated by a common delimiter, such as a space, a comma, or a pipe character.
  • consistent across multiple events (each value is in the same place from event to event).
This is commonly the case with structured, table-based data such as .csv files or events indexed from a database.
Here is an example of an event that uses a comma delimiter to separate out its fields. Its source is a .csv file from the USGS Earthquakes website which provides data on earthquakes that have occurred around the world over a 30 day period.
2015-06-01T20:11:31.560Z,44.4864,-129.851,10,5.9,mwb,,158,4.314,1.77,us,us20002l3n,2015-06-01T21:38:31.455Z,Off the coast of Oregon
You can see that there is a missing field where two commas appear next to each other.
In cases where your fields are separated by delimiters but are not consistent across multiple events, you should use the Regular Expression method in conjunction with required text. Here's an example of two events that use a cleanly separated comma delimiter but whose fields are not consistent:
  • indexer.splunk.com,jesse,pwcheck.fail
  • Indexer.splunk.com,usercheck,greg
The second field extraction would include jesse and usercheck, even through those are values for two different fields. So this set of events is not a good candidate for delimiter-based field extraction.

2. Click Next to go on to the next step.

If you have chosen the Regular Expression method, you go on to the Select fields step.

If you have chosen the Delimiters method, you go on to the Rename fields step.

Field Extractor: Select Sample step
Field Extractor: Select Fields step

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters