By Splunk October 12, 2007
Here’s a paper I recently wrote on some of the automatic field extraction we’re doing with Splunk.
Abstract
This paper presents an interactive bootstrapping process used in Splunk that automatically learns to extract fields from log events. End users simply select one or more example values of a field and a learning process discovers additional instances, along with the patterns to extract them. The user is able to correct the instances and save the extraction patterns. Immediately afterward, while searching log events the newly-taught fields will be extracted from the event’s raw text.
Feedback appreciated.
----------------------------------------------------
Thanks!
David Carasso