Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Extract fields with search commands

You can use a variety of search commands to extract fields in different ways.

  • rex performs field extractions using Perl regular expressions named groups.
  • extract (or kv, for "key/value") explicitly extracts field/values using default patterns.
  • multikv extracts field/values on multi-line, tabular-formatted events.
  • spath extracts field/values on xml and json formatted event data.
  • xmlkv and xpath extract field/values on xml-formatted event data.
  • kvform extracts field/values based on predefined form templates.

Continuing reading for examples of usage for the rex, extract, multikv, xmlkv, and kvform commands.

Extract fields using regular expressions

The rex search command performs field extractions using Perl regular expression named groups that you include in the search string. It matches segments of your raw events with the regular expression and saves these values into a field.

In this example, Splunk matches terms that occur after the strings "From:" and "To:" and saves these values into the "from" and "to" fields, respectively.

... | rex field=_raw "From: (?<from>.*) To: (?<to>.*)"

If a raw event contains "From: Susan To: Bob", then Splunk would extract the field name/value pairs: "from=Susan" and "to=Bob".

For a primer on regular expression syntax and usage, see Regular-Expressions.info. The Splunk community wiki also has a list of useful third-party tools for writing and testing regular expressions.

Force field value extractions on search results

Force field extractions defined in conf files

The extract (or kv, for "key/value") search command forces field/value extraction on the result set. If you use extract without specifying any arguments, Splunk extracts fields using field extraction stanzas that have been added to props.conf. You can use extract to test any field extractions that you add manually through conf files.

Extract fields from events formatted as tables

Use multikv to force field/value extraction on multi-line, tabular-formatted events. It creates a new event for each table row and derives field names from the table title.

Extract fields from events formatted in xml

The xmlkv command enables you to force field/value extraction on xml-formatted tags in event data, such as transactions from web pages.

Extract fields from XML and JSON documents

The spath command provides a straightforward means for extracting information from structured data formats, XML and JSON, and storing them in fields.

Extract fields from events based on form templates

The kvform command extracts field/value pairs from events based on form templates that are predefined and stored in $SPLUNK_HOME/etc/system/local/, or your own custom application directory in $SPLUNK_HOME/etc/apps/. For example, if form=sales_order, Splunk would look for a sales_order.form, and Splunk would match all processed events against that form, trying to extract values.

Last modified on 19 April, 2016
Use lookup to add fields from lookup tables
Manipulate and evaluate fields with multiple values

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters