Field Extractor: Save step
In the Save step of the field extractor you define the name of the new field extraction definition, set its permissions, and save the extraction.
- Give the field extraction definition a name if it does not have one, or verify that the name that the field extractor provides is correct.
- If you created your field extraction definition with the regular expression mode, the Name will consist of a comma-separated list of the fields extracted by the definition. You can change this name.
- If you created your field extraction definition with the delims mode, Name will be blank. You must provide a name to save the field extraction definition.
- Note: The extraction name cannot include spaces.
- (Optional) Change the Permissions of the field extraction to either App or All apps and update the role-based read/write permissions.
- You can only change field extraction permissions if your role includes the capability that allows you to do so.
- The field extraction is set to Owner, meaning that it only extracts fields in searches run by the person who created the extraction.
- Set Permissions to App to make this extraction available only to users of the app that the field extraction belongs to.
- Set Permissions to All apps to enable all users of all apps to benefit from this field extraction when they run searches.
- When you change the app permissions to App or All apps you can set read and write permissions per role. See "Manage knowledge object permissions," in this manual.
- Note: For delimiter-based field extractions, you will need to move the
transforms.confstanzas manually in order to change the field extraction permissions. You do not need to move
props.confstanzas. See App architecture and object ownership.
- Click Finish to save the extraction.
You can manage the field extractions that you create. They are listed on the Field Extractions page in Settings. See Use the Field extractions page, in this manual.
Field Extractor: Validate step
Use the Field extractions page
This documentation applies to the following versions of Splunk Cloud Platform™: 8.2.2202, 8.2.2112, 8.2.2201, 8.2.2203, 9.0.2205, 9.0.2208, 9.0.2209, 9.0.2303, 9.0.2305 (latest FedRAMP release)