Implementing Splunk 7(Third Edition)
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

Using the extract fields interface

There are several ways to define a field. Let's start by using the Extract Fields interface. To access this interface, choose Extract Fields from the workflow actions menu next to any event:

This menu launches the Extract Fields view:

In Splunk version 6.2, we have access to a wizard which helps us provide the information required for Splunk to attempt building a regular expression that matches.

Although you may choose multiple fields, in this case, we specify Error:

In the popup, you can provide a custom Field Name (I chose CognosError) and then click the button labeled Add Extraction.

Under Preview, you can see two tabs—Events, and our new field CognosError:

Under Events, we get a preview of what data was matched in context, and under CognosError we can see our new field.

Finally, under Show Regular Pattern, we see the regular expression that Splunk generated, which is as follows:

^(?P<CognosError>\w+)

You can step through the pattern and, if you are so inclined, make edits to it:

Clicking on the button labeled Edit the Regular Expression (shown in the preceding screenshot) presents a dialog to let you modify the pattern manually:

Once you make any edits to the pattern, Preview will be enabled and will launch a new search with the pattern loaded into a very useful query that shows the most common values extracted.

Save prompts you for a name for your new field. Assuming that you modified the originally-generated pattern string, you can enter a new name (rather than CognosError), and then select the desired permissions for accessing this new field:

Now that we've defined our field, we can use it in a number of ways, as follows:

  • We can search for the value using the field name, for instance, loglevel=CognosError.
  • When searching for values by field name, the field name is case-sensitive, but the value is not case-sensitive. In this case, loglevel=CognosError will work just fine, but LogLevel=cognoserror will not.
  • We can report on the field, whether we searched for it or not. For instance,
    sourcetype="impl_splunk_gen" user=mary | top loglevel.
  • We can search for only those events that contain our field:
    sourcetype="impl_splunk_gen" user=mary loglevel="*".
上一章目录下一章