Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Add an auto-extracted attribute

You can add an auto-extracted attribute to any root object in your data model.

6.1 dm add auto-extracted field.png

1. In the Data Model Editor, open the root object you'd like to add an auto-extracted attribute to.

2. Click Add Attribute and select Auto-extracted to define an auto-extracted attribute.

The Add Auto-Extracted Field dialog appears. It includes a list of fields that can be added to your data model object as auto-extracted attributes.

3. Select the attributes you would like to add to your data model by marking their checkboxes.

You can select the checkbox in the header to select all fields in the list.
If you look at the list and don't find the fields you are expecting, try changing the event sample size, which is set to the First 1000 events by default. A larger event sample may contain rare fields that didn't turn up in the first thousand events. For example, you could choose a sample size like the First 10,000 events or the Last 7 days.

4. (Optional) Rename the auto-extracted field.

If you use Rename, do not include asterisk characters in the new field name.

5. (Optional) Correct the auto-extracted field Type.

6. (Optional) Update the auto-extracted field's status (Optional, Required, Hidden, or Hidden and Required) as necessary.

7. Click Save to add the selected attributes to your root object.

Note: You cannot add auto-extracted attributes to child objects. Child objects inherit auto-extracted attributes from the root object at the top of their object hierarchy.

The list of fields displayed by the Add Auto-Extracted Field dialog includes:

Expand a field row for a field to see its top ten sample values.

Manually add a field to the set of auto-extracted fields

While building a data model you may find that you are missing certain auto-extracted fields. They could be missing for a variety of reasons. For example:

  • You may be building your data model prior to indexing the data that will make up its dataset.
  • You are indexing data, but certain rare fields that you expect to see eventually haven't been indexed yet.
  • You are utilizing a generating search command like inputcsv that adds fields that don't display in this list.

You can manually add auto-extracted attributes to a root object.

Note: Before adding fields manually, try increasing the event sample size as described in the procedure above to pull in rare fields that aren't found in the first thousand events.

1. Click Add by name in the top right-hand corner of the Add Auto-Extracted Field dialog.

This adds a row to the field table. Note that in the example at the top of this topic a row has been added for a manually added ISBN field.

2. In that row, manually identify the Field name, Type, and status for an auto-extracted attribute.

3. Click Add by name again to add additional attribute rows.

4. Click the X in the top right-hand corner of an added row to remove it.

5. Click Save to save your changes.

Fields that you've added to the table are added to your root object as Extracted in the Extracted category, along with any selected auto-extracted fields.
Last modified on 20 July, 2016
Define object attributes
Add an eval expression attribute

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters