Splunk® Enterprise

Splunk Enterprise Scenarios

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Extract fields

Scenario steps extract fields.png

Dashboard panel visualizations are driven by search results. Before building the failed login dashboard, make sure that you have all of the fields that you need to run a search for each panel.

This scenario step shows you how to work with fields.

  • Review the failed login dashboard panels you are creating.
  • Identify the fields needed to generate the dashboard panels.
  • Determine if these fields exist in the data or must be extracted.
  • Use the Field Extractor to create field extractions.

Part 1: Review the goal

The failed login dashboard that you are building needs to have the following panels.

  • Failed login attempt counts.
  • Top hackers ranked by failed login count.
  • Targeted user accounts and the hackers making login attempts on them.
  • Hacker locations on a map.

Part 2: Determine required fields

Each dashboard panel uses a specific search. The following table illustrates example search commands, and whether or not you need to extract new fields.

Dashboard panel Example search commands Are any fields required?
Counts of failed login attempts, broken out by valid and invalid accounts Use stats count to get an event count. No. You can search for the terms "invalid" or "valid" in events to differentiate between valid and invalid accounts.
Top hackers list Use the top <fieldname> command to list the top hackers. Yes. Hackers are identified by the IP address in the event, so an IP address field is required.
Targeted users Design a drilldown search using stats count to aggregate targeted user accounts for each hacker IP address. Yes. Aggregating targeted user accounts for each hacker requires a username field and the IP address field mentioned above.
Locate hackers on a world map Use the iplocation and geostats commands to convert the IP address into a plotted location on a map. Yes. Use the IP address field mentioned above.

Part 3: Check if required fields are available

You have determined that you need username and IP address fields. Check if these fields are available in the data. If they are not, you can extract them.

  1. Run the following search.

    sourcetype=secure failed

  2. Check the fields sidebar.
    Fields in the Selected Fields and Interesting Fields categories appear here. These lists do not always include every field available from search results.
    Step3.1-fields sidebar.png
  3. Observe that there do not appear to be any fields with IP address or username values.
  4. Make sure that these fields are not available by selecting All Fields.
    The Select Fields dialog opens. You can see details about all of the fields extracted in this search.
    Scenarios select fields list.png
  5. Review the Select Fields dialog and observe that the IP address and username fields are not being extracted.


The next steps show you how to extract the required fields.



Part 4: Field extraction - Select a sample event

  1. From the Select Fields dialog, click Extract New Fields. The Field Extractor opens.
  2. Step3.3 fx select sample event.png

  3. Observe that the Field Extractor indicates that you are extracting fields for the secure sourcetype.

    All field extractions that the Field Extractor makes must be associated with a sourcetype. The Field Extractor obtains a sourcetype from the search. When a sourcetype is not available, the Field Extractor prompts you to provide one in the first step.

    Field extractions can also be associated with specific host and source values, but the Field Extractor only enables sourcetype field extractions.
  4. Select a sample event.
  5. Click Next to select the fields to extract from the event.
  6. Opt to use a regular expression to extract fields and click Next.

Part 5: Field extraction - Select the fields to extract

The Select Fields Field Extractor step lets you highlight values in the sample event for the fields that you want to extract. You can extract multiple fields from the same event.

  1. Extract a username field.
    In each event, usernames appear at the end of the error message, Failed password for invalid user <username>.
    To extract the username field, highlight the username shown in the sample event and indicate that it is a sample value of a new field called username.
  2. Click Add Extraction.
    The Field Extractor attempts to extract the field from the sample events. You can see the results in the preview table near the bottom of the page.
  3. Extract an IP address field.
    To do this, highlight the IP address in the event as a value of a new clientip field.
  4. Click Add Extraction. The preview table updates to show how the Field Extractor finds and extracts values for this second field. After you have added both field extractions, the preview table should be similar to this one.
    Step3.4.2 fx select fields.png
  5. Click Next to validate the field extractions and save them.

Part 6: Validate and save the field extractions

  1. Check field extraction success by reviewing the Matches and Non-Matches. You can also review the tabs created for the username and clientip extracted fields.
  2. (Optional) If you find any errors, remove values in events that are highlighted incorrectly.
  3. After validating the field extractions, click Next.
    The fields are extracted. The Save step opens.
  4. Change the field extraction Permissions to All apps.
    If you keep the default value of Owner, any other dashboards that you create with these extractions will only work for you.
    This step gives you the option to set permissions for the extraction by role. For now, leave the defaults of read access for Everyone and write access for Admin.
  5. Click Finish to save the extractions.

The next part of the scenario shows you how to build visualizations.

PREVIOUS
Start working with data
  NEXT
Create visualizations

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters