This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10
Use the Field extractions page in Manager to manage search-time field extractions that have been made through interactive field extractions (IFX) in Splunk Web or changes to conf files. The Field extractions page enables you to:
props.conf.
transforms.conf
Navigate to the Field extractions page by selecting Manager > Field extractions.
To better understand how the Field extractions page in Manager displays your extracted field, it helps to understand how field extractions are set up in your props.conf and transforms.conf files. The method for defining field extractions in props.conf is discussed in "Add fields at search time" in this manual.
Field extractions can also be set up as transforms in transforms.conf. For more information about how this is done see the specs for the transforms.conf and props.conf files in the Admin manual.
The Name column in the Field extractions page displays the overall name of the field extraction, as it appears in props.conf. The format is:
<spec> : [EXTRACT-<class> | REPORT-<value>]
<spec> can be:
<sourcetype>, the source type of an event.
host::<host>, where <host> is the host for an event.
source::<source>, where <source> is the source for an event.
EXTRACT-<class> field extractions are extractions that are wholly defined in props.conf. They are created automatically by field extractions made through IFX and certain search commands. You can also add them by making direct updates to the props.conf file. This kind of extraction is always associated with a regular expression, which appears in the Extraction column.
REPORT-<value> field extractions are linked to stanzas in transforms.conf, which is where their regular expressions are located.
There are two field extraction types: inline and transforms.conf.
EXTRACT-<class> name configurations, and are always defined in the props.conf file.
transforms.conf and props.conf. Transforms.conf extractions also always have REPORT-<value> name configurations.
In the Expression column, Manager displays different things depending on the field extraction type.
transforms.conf field extraction stanza (or stanzas) that the field extraction is linked to through props.conf. For example, the Expression column could display two values for an extraction: access-extractions and ip-extractions. These may appear in props.conf as:
[access_combined] REPORT-access = access-extractions ip-extractions
In this example, access-extractions and ip-extractions are both names of field extraction stanzas in transforms.conf. Each stanza contains a regex that is used to extract one or more fields.
You can edit the values displayed in the Expression column for any field extraction. Click the name of the field extraction that you want to edit to have Splunk open the details page for that field extraction. You can edit the regular expressions of inline extractions, and add or delete stanza names from transforms.conf field extractions.
Note: Transforms.conf field extractions must include at least one valid transforms.conf field extraction stanza name.
When a field extraction is created through an inline method (such as IFX or a search command) it is initially only available to its creator. To make it so that other users can use the field extraction, you need to update its permissions. To do this, locate the field extraction on the Field extractions page and select its Permissions link. This opens the standard permission management page used in manager for knowledge objects (such as saved searches, event types, search macros, and navigation menus).
On this page you can set up the role-based permissions for the field extraction, and determine whether it is available to users of one specific App, or globally to users of all Apps.
On the Field extractions page in Manager, you can delete field extractions if your permissions enable you to do so. Click Delete for the field extraction that you want to remove.