Extract fields with search commands
As mentioned in "Extract and add new fields", you can use a variety of search commands to extract fields in different ways. Continue reading for examples of usage for the rex, extract, multikv, xmlkv, and kvform commands.
Extract fields using regular expressions
The rex search command performs field extractions using Perl regular expression named groups that you include in the search string. It matches segments of your raw events with the regular expression and saves these values into a field.
In this example, Splunk matches terms that occur after the strings "From:" and "To:" and saves these values into the "from" and "to" fields, respectively.
... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"
If a raw event contains "From: Susan To: Bob", then Splunk would extract the field name/value pairs: "from=Susan" and "to=Bob".
Force field value extractions on search results
Force field extractions defined in conf files
The extract (or
kv, for "key/value") search command forces field/value extraction on the result set. If you use
extract without specifying any arguments, Splunk extracts fields using field extraction stanzas that have been added to props.conf. You can use
extract to test any field extractions that you add manually through conf files.
Extract fields from events formatted as tables
Use multikv to force field/value extraction on multi-line, tabular-formatted events. It creates a new event for each table row and derives field names from the table title.
Extract fields from events formatted in xml
The xmlkv command enables you to force field/value extraction on xml-formatted tags in event data, such as transactions from web pages.
Extract fields from XML and JSON documents
The Documentation:Splunk:SearchReference:Spath command provides a straightforward means for extracting information from structured data formats, XML and JSON, and storing them in fields.
Extract fields from events based on form templates
The kvform command extracts field/value pairs from events based on form templates that are predefined and stored in
$SPLUNK_HOME/etc/system/local/, or your own custom application directory in
$SPLUNK_HOME/etc/apps/. For example, if
form=sales_order, Splunk would look for a
sales_order.form, and Splunk would match all processed events against that form, trying to extract values.
Extract and add new fields
Extract fields interactively in Splunk Web
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7