Extract fields interactively in Splunk Web
Use the interactive field extraction (IFX) feature of Splunk Web to create custom fields dynamically on your local Splunk instance. IFX enables you to define any pattern for recognizing one or more fields. IFX is especially useful if you are not familiar with regular expression syntax and usage, because it will generate field extraction regexes for you (and enable you to test them). Also, unless you hand edit the regular expression, IFX learns to extract only one field at a time.
Splunk is very good at handling Web access logs, so there is really no information that it hasn't already extracted for you. For the examples here, let's just walk how to extract the IP addresses from events.
1. To access the IFX, first run a search that generates events containing the field values that you want to extract.
Because we're interested in extracting IP addresses, we can search for Apache access logs with:
2. From the results of the search, find an event that contains the field value; in this case, an IP address. Click on the arrow to the left of the timestamp of an event and select Extract fields.
The IFX opens in a new window, Extract fields.
3. Choose sourcetype="access_combined" from the Restrict field extraction to menu.
This dropdown is populated with the field values from the event that you selected in step 2. If you want to choose a different host, source, or sourcetype value, close the window and select a different event in your search results or run a new search.
4. Type, or copy and paste, some values of IP addresses from your results into the Example values text box. For best results, give multiple examples.
The list of Sample events is based on the event you selected from your search results and the field restriction you specified. If you change the field restriction, this list also changes; but it will still be based on the original event you selected.
5. When you think you have enough sample values, click Generate. Splunk generates a regex pattern for your field, based on the information you gave it and the general format of your events.
6. Review the Sample extractions and Sample events to see if there are any values that you don't want or any values that you do what that aren't displayed in the list.
If you see unwanted values, click the X next to the value to remove it. If you notice a value that is left out, add it to the list of Sample events. The IFX will update the generated pattern to reflect this change. To re-add any value and reset the regex, just click the + icon next to it.
7. Before you save the new field, you can test the regex against a larger data set or edit the pattern manually.
When you click Test from the field extractions page, Splunk takes you to the Search view and runs a search:
- against your host, source, or sourcetype restriction, limited to first 10,000 results.
- using the rex command with the regex Splunk generated for your FIELDNAME, removing any duplicate occurrences of the field value.
If you edit the search expression manually in the test window, you must copy-paste your changes back to the IFX page.
If you're familiar with writing regexes, you can edit the pattern manually after Splunk generates it; just click Edit in the IFX window.
Also, you'll notice that the name of the extracted field in the search or edit window is "FIELDNAME". You do not need to rename this value because it will be set with the name you enter when you save the extraction.
After testing or editing your regex, return to the IFX window.
8. If the expression looks like it's working, click Save.
This opens the Save Field Extraction window.
9. Name your extraction clientip and click Save.
Splunk only accepts field names that contain alpha-numeric characters or an underscore:
- Valid characters for field names are a-z, A-Z, 0-9, or _ .
- Field names cannot begin with 0-9 or _ . (Leading underscores are reserved for Splunk's internal variables).
Important: Extractions created by a user will be located in
$SPLUNK_HOME/etc/users and will be a function of the role a user has, with relationship to the app.
Extract fields with search commands
Use field lookups to add information to your events
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7