Field Extractor: Validate step
The Validate step of the field extractor is for regular-expression-based field extractions only.
Validate your field extraction in the Validate step of the field extractor. The field extractor provides the following validation methods:
- Review the event list table to see which events match or fail to match the field extraction. See "Preview the results of the field extraction".
- Report incorrect extractions to the field extractor by providing counterexamples. In response, the field extractor attempts to improve the accuracy of the regular expression.
- Manually edit the regular expression. See "Manually edit the regular expression".
When you are done validating your field extractions, click Save to save the extraction.
Provide counterexample feedback
This is an optional action for the Validate step.
If you find events that contain incorrectly extracted fields, submit those events as counterexample feedback.
1. Find an event with a field value that has been incorrectly extracted.
- The highlighted text is not a correct value for the field that the highlighter represents.
2. Click the gray "X" next to the incorrect field value.
- The field extractor displays the counterexample event above the table, marking the incorrect value with red strikethrough. It also updates the regular expression and its preview results.
3. If a counterexample does not help, remove it by clicking the blue "X" to the left of the counterexample event.
Field Extractor: Rename Fields step
Field Extractor: Save step
This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.6.0