Splunk® Enterprise

Knowledge Manager Manual

Splunk Enterprise version 8.1 will no longer be supported as of April 19, 2023. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Add an auto-extracted field

You can add an auto-extracted field to any root dataset in your data model.

6.1 dm add auto-extracted field.png

  1. In the Data Model Editor, open the root dataset you'd like to add an auto-extracted field to.
  2. Click Add Field and select Auto-extracted to define an auto-extracted field.
    The Add Auto-Extracted Field dialog appears. It includes a list of fields that can be added to your data model datasets.
  3. Select the fields you would like to add to your data model by marking their checkboxes.
    You can select the checkbox in the header to select all fields in the list.
    If you look at the list and don't find the fields you are expecting, try changing the event sample size, which is set to the First 1000 events by default. A larger event sample may contain rare fields that didn't turn up in the first thousand events. For example, you could choose a sample size like the First 10,000 events or the Last 7 days.
  4. (Optional) Rename the auto-extracted field.
    If you use Rename, do not include asterisk characters in the new field name.
  5. (Optional) Correct the auto-extracted field Type.
  6. (Optional) Update the auto-extracted field's status (Optional, Required, Hidden, or Hidden and Required) as necessary.
  7. Click Save to add the selected fields to your root dataset.
  8. Note: You cannot add auto-extracted fields to child datasets. Child datasets inherit auto-extracted fields from the root dataset at the top of their dataset hierarchy.

The list of fields displayed by the Add Auto-Extracted Field dialog includes:

Expand a field row for a field to see its top ten sample values.

Manually add a field to the set of auto-extracted fields

While building a data model you may find that you are missing certain auto-extracted fields. They could be missing for a variety of reasons. For example:

  • You may be building your data model prior to indexing the data that will make up its dataset.
  • You are indexing data, but certain rare fields that you expect to see eventually haven't been indexed yet.
  • You are utilizing a generating search command like inputcsv that adds fields that don't display in this list.

You can manually add auto-extracted fields to a root dataset.

Note: Before adding fields manually, try increasing the event sample size as described in the procedure above to pull in rare fields that aren't found in the first thousand events.

  1. Click Add by name in the top right-hand corner of the Add Auto-Extracted Field dialog.
    This adds a row to the field table. Note that in the example at the top of this topic a row has been added for a manually added ISBN field.
  2. In that row, manually identify the Field name, Type, and status for an auto-extracted field.
  3. Click Add by name again to add additional field rows.
  4. Click the X in the top right-hand corner of an added row to remove it.
  5. Click Save to save your changes.
    Fields that you've added to the table are added to your root dataset as Extracted in the Extracted category, along with any selected auto-extracted fields.
Last modified on 23 May, 2017
Define dataset fields   Add an eval expression field

This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.3.0, 9.3.1, 8.1.0, 8.1.10, 8.1.11, 8.1.12


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters