Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 8.0 is no longer supported as of October 22, 2021. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Field Extractor: Select Method step

In the Select Method step of the field extractor you can choose a field extraction method that fits the data you are working with.

The step displays your Source or Source type and your sample event. At the bottom of the step you see two field extraction methods: Regular expression and Delimiter.

Em FX select method step.png

Steps

  1. Click the field extraction method that is appropriate for your data.
    Click Regular Expression if the event that you have selected is derived from unstructured data such as a system log. The field extractor can attempt to generate a regular expression that matches similar events and extracts your fields.
    Click Delimiters if the fields in your selected event are:
    • cleanly separated by a common delimiter, such as a space, a comma, or a pipe character.
    • consistent across multiple events (each value is in the same place from event to event).
    This is commonly the case with structured, table-based data such as .csv files or events indexed from a database.
    Here is an example of an event that uses a comma delimiter to separate out its fields. Its source is a .csv file from the USGS Earthquakes website which provides data on earthquakes that have occurred around the world over a 30 day period.
    2015-06-01T20:11:31.560Z,44.4864,-129.851,10,5.9,mwb,,158,4.314,1.77,us,us20002l3n,2015-06-01T21:38:31.455Z,Off the coast of Oregon
    You can see that there is a missing field where two commas appear next to each other.
    In cases where your fields are separated by delimiters but are not consistent across multiple events, you should use the Regular Expression method in conjunction with required text. Here's an example of two events that use a cleanly separated comma delimiter but whose fields are not consistent:
    • indexer.splunk.com,jesse,pwcheck.fail
    • Indexer.splunk.com,usercheck,greg
    The second field extraction would include jesse and usercheck, even through those are values for two different fields. So this set of events is not a good candidate for delimiter-based field extraction.
  2. Click Next to go on to the next step. If you have chosen the Regular Expression method, you go on to the Select fields step. If you have chosen the Delimiters method, you go on to the Rename fields step.
Last modified on 12 June, 2017
Field Extractor: Select Sample step   Field Extractor: Select Fields step

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.11, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 8.1.10, 8.1.12, 8.1.13, 8.1.14


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters