Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Field Extractor: Select Sample Event step

In the Select Sample step of the field extractor, select a sample event that contains values for the fields that you want to extract.

Note: The field extractor bypasses this step and the preceding Select Sourcetype step when you enter the field extractor from an event in the results of a search. The field extractor uses the event you entered through as the sample event, and it uses the source type of the event as the source type for the field extraction.

1. Browse through the list of events to find an event that you want to select.

2. (Optional) If you do not see the event you are looking for, try to find it by filtering the event list with keywords.

Enter keywords into the filter and click Apply to filter the event listing on those keywords. Remove filters by deleting keywords from the filter field and clicking Apply.

3. (Optional) Change the Sample value to a larger event set, such as First 10,000 events or events from the Last 24 hours, to capture especially rare events.

By default the event list displays the first 1000 events. This dataset may not be large enough to capture some rare events.

4. (Optional) Switch All events to Rare events or Diverse events to view events that fit into those categories.

5. Click on an event to select it.

6. Click Next to go to the Select Fields step.

In this example, the filter finds events that contain the string POST for the access_combined source type. The selected event appears above the field list as white text on a blue background.

Dsh FX select sample.png

PREVIOUS
Field Extractor: Select Sourcetype step
  NEXT
Field Extractor: Select Fields step

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters