Field Extractor: Select Sample Event step
In the Select Sample step of the field extractor, select a sample event that contains values for the fields that you want to extract.
Note: The field extractor bypasses this step and the preceding Select Sourcetype step when you enter the field extractor from an event in the results of a search. The field extractor uses the event you entered through as the sample event, and it uses the source type of the event as the source type for the field extraction.
1. Browse through the list of events to find an event that you want to select.
2. (Optional) If you do not see the event you are looking for, try to find it by filtering the event list with keywords.
- Enter keywords into the filter and click Apply to filter the event listing on those keywords. Remove filters by deleting keywords from the filter field and clicking Apply.
3. (Optional) Change the Sample value to a larger event set, such as First 10,000 events or events from the Last 24 hours, to capture especially rare events.
- By default the event list displays the first 1000 events. This dataset may not be large enough to capture some rare events.
4. (Optional) Switch All events to Rare events or Diverse events to view events that fit into those categories.
5. Click on an event to select it.
6. Click Next to go to the Select Fields step.
In this example, the filter finds events that contain the string
POST for the
access_combined source type. The selected event appears above the field list as white text on a blue background.
Field Extractor: Select Sourcetype step
Field Extractor: Select Fields step
This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15