Related Answers
Download topic as PDF
Build field extractions with the field extractor
Use the field extractor utility to create custom fields dynamically on your Splunk Enterprise instance. The field extractor enables you to define field extractions by selecting a sample event and highlighting fields to extract from that event. It also provides several tools to help you test and refine the accuracy of your field extraction.
The field extractor is useful if you are not familiar with regular expression syntax and usage, because it generates field-extracting regular expressions and allows you to test them. Regular expressions form the foundation of field extractions. Splunk Enterprise uses regular expressions to find fields in events and extract them.
You can manually create or edit these regular expressions. However, doing this pulls you out of the field extractor workflow. When you save your changes to a regular expression, you skip to the final Save step of the field extractor, where you save the field extraction you just created.
Overview of the field extractor
To help you create a new field, the field extractor takes you through a set of steps. This table gives you an overview of the required steps. Each step is described in detail after the table.
| Step title | Description |
|---|---|
| Select sourcetype | Define the source type that the new field is tied to. |
| Select sample | Select an event that has the field or fields that you want to extract. |
| Select fields | Highlight one or more values in the event to identify them as fields for the field extractor to extract from similar events. Optionally, you can:
|
| Validate fields |
|
| Save | Name your new field extraction, set its permissions, and save it. |
Access the field extractor
There are several ways to access the field extractor utility. The access method you use can determine which step of the field extractor workflow you start at.
All users can access the field extractor after running a search that returns events. You have three post-search entry points to the field extractor:
- Bottom of the fields sidebar
- All Fields dialog box
- Any event in the search results
You can also enter the field extractor:
- from the Splunk Enterprise Home page
- from the Field Extractions page in Settings.
- when you add data with a fixed source type.
Access the field extractor from the bottom of the fields sidebar
When you use this method to access the field extractor it runs only against the set of events returned by the search that you have run. To get the full set of source types in your Splunk Enterprise instance, go to the Field Extractions page in Settings.
1. Run a search that returns events.
2. Scroll down to the bottom of the fields sidebar and click Extract new fields.
- If your search string does not identify a
sourcetypevalue, the field extractor starts you at the Select Sourcetype step.
- If your search string identifies a
sourcetypevalue, such assourcetype=access_combined, the field extractor starts you at the Select Sample step.
Access the field extractor from the All Fields dialog box
When you use this method to access the field extractor it runs only against the set of events returned by the search that you have run. To get the full set of source types in your Splunk Enterprise instance, go to the Field Extractions page in Settings.
1. Run a search that returns events.
2. At the top of the fields sidebar, click All Fields.
3. In the All Fields dialog box, click Extract new fields.
- If your search string does not identify a
sourcetypevalue, the field extractor starts you at the Select Sourcetype step.
- If your search string identifies a
sourcetypevalue, such assourcetype=access_combined, the field extractor starts you at the Select Sample step.
Access the field extractor from a specific event
Use this method to select an event in your search results, and create a field extraction that:
- Extracts one or more fields found in that event.
- Is tied to the source type of that event.
When you use this method to access the field extractor it runs only against the set of events returned by the search that you have run. To get the full set of source types in your Splunk Enterprise instance, go to the Field Extractions page in Settings.
1. Run a search that returns events.
2. Find an event that you want to extract fields from, and click the arrow symbol to the left of the timestamp to open it.
3. Click Event Actions, and select Extract Fields.
- The field extractor starts you at the Select Fields step. You have already defined the source type and sample event.
Access the field extractor through the Field Extractions page in Settings
This entry method is available to all users.
1. Select Settings > Fields > Field extractions.
2. Click the Open field extractor button.
- The field extractor starts you at the Select Sourcetype step.
Access the field extractor through the Home page
This entry method is available only to users whose roles have the edit_monitor capability, such as Admin.
On the Home page, click the extract fields link under the Add Data icon.
The field extractor starts you at the Select Sourcetype step.
Access the field extractor after you add data
This entry method is available only to users whose roles have the edit_monitor capability, such as Admin.
After you add data to Splunk Enterprise, use the field extractor to extract fields from that data, as long as it has a fixed source type.
For example: You add a file named vendors.csv to your Splunk Enterprise instance and give it the custom source type vendors. After you save this input, you can enter the field extractor and extract fields from the events associated with the vendors source type.
On the other hand, here is another example: You create a monitor input for the /var/log directory and select Automatic for the source type, meaning that Splunk Enterprise automatically determines the source type values of the data from that input on an event by event basis. When you save this input you do not get a prompt to extract fields from this new data input, because the events indexed from that directory can have a variety of source type values.
1. Enter the Add Data page.
- See "How do you want to add data?" in the Getting Data In manual.
2. Define a data input with a fixed source type.
- This can be an existing source type or a custom source type that you define. See "View and set source types for event data" in the Getting Data In manual.
3. Save the new data input.
4. In the "File has been uploaded successfully" dialog box, click Extract Fields.
- The field extractor starts you at the Select Sample step.
|
PREVIOUS When Splunk software extracts fields |
NEXT Field Extractor: Select Sourcetype step |
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15
Feedback submitted, thanks!