Field Extractor: Select Method step
In the Select Method step of the field extractor you can choose a field extraction method that fits the data you are working with.
The step displays your Source or Source type and your sample event. At the bottom of the step you see two field extraction methods: Regular expression and Delimiter.
- Click the field extraction method that is appropriate for your data.
- Click Regular Expression if the event that you have selected is derived from unstructured data such as a system log. The field extractor can attempt to generate a regular expression that matches similar events and extracts your fields.
- Click Delimiters if the fields in your selected event are:
- cleanly separated by a common delimiter, such as a space, a comma, or a pipe character.
- consistent across multiple events (each value is in the same place from event to event).
- This is commonly the case with structured, table-based data such as
.csvfiles or events indexed from a database.
- Here is an example of an event that uses a comma delimiter to separate out its fields. Its source is a
.csvfile from the USGS Earthquakes website which provides data on earthquakes that have occurred around the world over a 30 day period.
2015-06-01T20:11:31.560Z,44.4864,-129.851,10,5.9,mwb,,158,4.314,1.77,us,us20002l3n,2015-06-01T21:38:31.455Z,Off the coast of Oregon
- You can see that there is a missing field where two commas appear next to each other.
- In cases where your fields are separated by delimiters but are not consistent across multiple events, you should use the Regular Expression method in conjunction with required text. Here's an example of two events that use a cleanly separated comma delimiter but whose fields are not consistent:
- The second field extraction would include
usercheck, even through those are values for two different fields. So this set of events is not a good candidate for delimiter-based field extraction.
- Click Next to go on to the next step. If you have chosen the Regular Expression method, you go on to the Select fields step. If you have chosen the Delimiters method, you go on to the Rename fields step.
Field Extractor: Select Sample step
Field Extractor: Select Fields step
This documentation applies to the following versions of Splunk Cloud Platform™: 9.0.2209 (latest FedRAMP release), 8.2.2106, 8.2.2109, 8.1.2103, 8.2.2105, 8.2.2107, 8.2.2111, 8.2.2112, 8.2.2201, 8.2.2202, 8.2.2203, 9.0.2205, 9.0.2208