Create extracted fields via Splunk Web
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6
Contents
Create extracted fields via Splunk Web
Configure extracted fields through Splunk Web. Any search can be turned into one or more extracted fields.
Configuration
Use Splunk Web to extract fields.
1. Run a search in Splunk Web:
host=pearl
2. Each event has a drop-down arrow under the timestamp. Click the drop-down arrow under the timestamp of any interesting event.
3. Choose Extract field. A dialog box pops up, allowing you to configure your field extraction rules:
- View the Sample Event dialog to see the event that you chose to extract fields from.
4. Enter values in the Example Value(s) dialog to tell Splunk what you want to extract as a field.
5. From the Rules section, select an event type, host, source, or sourcetype to restrict events you're extracting from.
6. Click Preview to show the rules (regular expressions under Generated rules) that Splunk uses to extract the example values. View the events Splunk extracted values from via the Preview window.
7. Select or de-select rules (Generated rules) or Preview extractions to alter the field extraction rule you want to create.
8. When you are satisfied with the results, click Save to save and name the field.
You can now use the extracted field you just created in a search.