Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Build field extractions with the field extractor

Use the field extractor utility to create custom fields dynamically on your Splunk Enterprise instance. The field extractor enables you to define field extractions by selecting a sample event and highlighting fields to extract from that event. It also provides several tools to help you test and refine the accuracy of your field extraction.

The field extractor is useful if you are not familiar with regular expression syntax and usage, because it generates field-extracting regular expressions and allows you to test them. Regular expressions form the foundation of field extractions. Splunk Enterprise uses regular expressions to find fields in events and extract them.

You can manually create or edit these regular expressions. However, doing this pulls you out of the field extractor workflow. When you save your changes to a regular expression, you skip to the final Save step of the field extractor, where you save the field extraction you just created.

Overview of the field extractor

To help you create a new field, the field extractor takes you through a set of steps. This table gives you an overview of the required steps. Each step is described in detail after the table.

Step title Description
Select sourcetype Define the source type that the new field is tied to.
Select sample Select an event that has the field or fields that you want to extract.
Select fields Highlight one or more values in the event to identify them as fields for the field extractor to extract from similar events. Optionally, you can:
  • Provide event examples to improve extraction accuracy.
  • Identify required text to focus the field extraction on events that contain this text.
  • Examine field extraction results.
  • Update the underlying regular expression manually. If you do this, you are out of the field extractor workflow.
Validate fields
  • Examine the field extraction results.
  • Identify incorrectly extracted fields as counterexamples to improve the accuracy of the field extraction.
Save Name your new field extraction, set its permissions, and save it.

Access the field extractor

There are several ways to access the field extractor utility. The access method you use can determine which step of the field extractor workflow you start at.

All users can access the field extractor after running a search that returns events. You have three post-search entry points to the field extractor:

  • Bottom of the fields sidebar
  • All Fields dialog box
  • Any event in the search results

You can also enter the field extractor:

  • from the Splunk Enterprise Home page
  • from the Field Extractions page in Settings.
  • when you add data with a fixed source type.

Access the field extractor from the bottom of the fields sidebar

When you use this method to access the field extractor it runs only against the set of events returned by the search that you have run. To get the full set of source types in your Splunk Enterprise instance, go to the Field Extractions page in Settings.

1. Run a search that returns events.

2. Scroll down to the bottom of the fields sidebar and click Extract new fields.

If your search string does not identify a sourcetype value, the field extractor starts you at the Select Sourcetype step.
If your search string identifies a sourcetype value, such as sourcetype=access_combined, the field extractor starts you at the Select Sample step.

Dsh FX access search sidebar1.png

Access the field extractor from the All Fields dialog box

When you use this method to access the field extractor it runs only against the set of events returned by the search that you have run. To get the full set of source types in your Splunk Enterprise instance, go to the Field Extractions page in Settings.

1. Run a search that returns events.

2. At the top of the fields sidebar, click All Fields.

3. In the All Fields dialog box, click Extract new fields.

If your search string does not identify a sourcetype value, the field extractor starts you at the Select Sourcetype step.
If your search string identifies a sourcetype value, such as sourcetype=access_combined, the field extractor starts you at the Select Sample step.

Dsh FX access search selectfieldsdialog2.png

Access the field extractor from a specific event

Use this method to select an event in your search results, and create a field extraction that:

  • Extracts one or more fields found in that event.
  • Is tied to the source type of that event.

When you use this method to access the field extractor it runs only against the set of events returned by the search that you have run. To get the full set of source types in your Splunk Enterprise instance, go to the Field Extractions page in Settings.

1. Run a search that returns events.

2. Find an event that you want to extract fields from, and click the arrow symbol to the left of the timestamp to open it.

3. Click Event Actions, and select Extract Fields.

The field extractor starts you at the Select Fields step. You have already defined the source type and sample event.

Dsh FX access search eventactions3.png

Access the field extractor through the Field Extractions page in Settings

This entry method is available to all users.

1. Select Settings > Fields > Field extractions.

2. Click the Open field extractor button.

The field extractor starts you at the Select Sourcetype step.

Access the field extractor through the Home page

This entry method is available only to users whose roles have the edit_monitor capability, such as Admin.

On the Home page, click the extract fields link under the Add Data icon.

The field extractor starts you at the Select Sourcetype step.

Dsh FX access home.png

Access the field extractor after you add data

This entry method is available only to users whose roles have the edit_monitor capability, such as Admin.

After you add data to Splunk Enterprise, use the field extractor to extract fields from that data, as long as it has a fixed source type.

For example: You add a file named vendors.csv to your Splunk Enterprise instance and give it the custom source type vendors. After you save this input, you can enter the field extractor and extract fields from the events associated with the vendors source type.

On the other hand, here is another example: You create a monitor input for the /var/log directory and select Automatic for the source type, meaning that Splunk Enterprise automatically determines the source type values of the data from that input on an event by event basis. When you save this input you do not get a prompt to extract fields from this new data input, because the events indexed from that directory can have a variety of source type values.

1. Enter the Add Data page.

See "How do you want to add data?" in the Getting Data In manual.

2. Define a data input with a fixed source type.

This can be an existing source type or a custom source type that you define. See "View and set source types for event data" in the Getting Data In manual.

3. Save the new data input.

4. In the "File has been uploaded successfully" dialog box, click Extract Fields.

The field extractor starts you at the Select Sample step.
PREVIOUS
When Splunk software extracts fields
  NEXT
Field Extractor: Select Sourcetype step

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters