Splunk 3.4 is the latest version. Only use this page with older Splunk 2.0.x.
Splunk User Manual (Splunk v2.0)
Training Splunk
Report Fields
To train Splunk on which data segments in your events should be treated as fields for Report Splunks, use this command on a sample file of events.
# splunk learn fields
A Sample Session
The easiest way to explain learn fields is with a sample session, below. We'll create an _action field that can contain the values "Installed" and "Updated," and a _program field that contains the names of the programs handled and logged by yum.
[root@support01]# splunk learn fields
------------------------------------------------------
What operation do you want to perform? (default=learn)
------------------------------------------------------
Enter answer: ['learn', 'test', 'quit'] > learn
---------------------------------------------------------------
Please specify the full names of the files from which to learn.
---------------------------------------------------------------
Enter new values on separate lines. Enter a blank line when done. Enter '??' for more options.
Enter filename > /var/log/yum.log
Enter filename >
Splunk will now grab some sample lines from the file, and ask us to define a field to learn against them.
Sample lines from /var/log/yum.log
------------------------------------------------------------------------
Mar 28 14:21:57 Installed: Xaw3d.i386 1.5E-6.2.2
Apr 03 14:55:54 Updated: libstdc++.i386 4.1.0-4
--------------------------
Specify this field's name.
--------------------------
Enter fieldname > action
---------------------------------------------
Please specify examples of values to extract.
---------------------------------------------
Enter new values on separate lines. Enter a blank line when done. Enter '??' for more options.
Enter good value > Installed
Enter good value > Updated
Enter good value >
-------------------------------------------------
If there are any bad terms extracted, enter them.
-------------------------------------------------
Enter new values on separate lines. Enter a blank line when done. Enter '??' for more options.
Enter bad value >
The "bad value" prompt shouldn't appear at this point—it's sort of a misfeature. Press Enter to continue. We'll talk about bad values later.
Enter bad value >
Learning...
1 rules
Terms Learned: ['Installed', 'Updated']
------------------------------------
Are the terms extracted good enough?
------------------------------------
Enter [Y]es, [N]o, or [C]ancel > y
If Splunk had actually extracted a bad value, this would be the time to type "n" and enter the bad values from the "Terms Learned" list. This is a rare occurence, though. Instead, we'll press "y" to continue.
Enter [Y]es, [N]o, or [C]ancel > y
Using values:
Fieldname: action
Files: ['/var/log/yum.log']
GoodTerms: ['Installed', 'Updated']
BadTerms: []
------------------------------------
Learn more fields for this filetype?
------------------------------------
Enter [Y]es or [N]o >
Next, we'll train Splunk on a second field, which we'll call "program."
Enter [Y]es or [N]o > y
Sample lines from /var/log/yum.log
------------------------------------------------------------------------
Mar 28 14:21:54 Installed: emacs-common.i386 21.4-14
Apr 03 14:55:53 Updated: libgcc.i386 4.1.0-4
--------------------------
Specify this field's name.
--------------------------
Enter fieldname > program
---------------------------------------------
Please specify examples of values to extract.
---------------------------------------------
Enter new values on separate lines. Enter a blank line when done. Enter '??' for more options.
Enter good value > emacs-common.i386
Enter good value > libgcc.i386
Enter good value >
-------------------------------------------------
If there are any bad terms extracted, enter them.
-------------------------------------------------
Enter new values on separate lines. Enter a blank line when done. Enter '??' for more options.
Enter bad value >
Learning...
Learning...
2 rules
Terms Learned: ['dmidecode.i386', 'emacs-common.i386', 'emacs.i386', 'libgcc.i386', 'strace.i386', 'syslog-ng.i386']
------------------------------------
Are the terms extracted good enough?
------------------------------------
Enter [Y]es, [N]o, or [C]ancel > Y
Using values:
Fieldname: program
Files: ['/var/log/yum.log']
GoodTerms: ['emacs-common.i386', 'libgcc.i386', 'strace.i386', 'dmidecode.i386', 'emacs.i386', 'syslog-ng.i386']
BadTerms: []
------------------------------------
Learn more fields for this filetype?
------------------------------------
Enter [Y]es or [N]o > n
--------------------------------------
Learn fields for additional filetypes?
--------------------------------------
Enter [Y]es or [N]o > n
-------------------
Save rules learned?
-------------------
Enter [Y]es or [N]o > y
-----------------------------------------------------------------------------------------------------------
Runtime system uses the rules file '/home/test//splunk/etc/report.xml'.
do you wish to save to this file?
-----------------------------------------------------------------------------------------------------------
Enter [Y]es or [N]o > y
------------------------------------------------------
What operation do you want to perform? (default=learn)
------------------------------------------------------
Enter answer: ['learn', 'test', 'quit'] > quit
How to Use Trained Fields
To make use of the trained fields _action and _program from the above example, we need to restart the Splunk Server as as described in the Test Configuration Changes section of the Admin Manual.
We can then use the extracted fields in reports such as the example below.
meta::all report::[select _action, _program from resultstable where _program like %.386]
No comments have been submitted.