Databases Reference
In-Depth Information
With the addition of the
field
argument, we can work against the
ip
field that is
already being created automatically from the
name=value
pair in the event.
sourcetype="impl_splunk_gen"
| rex field=ip "(?P<subnet>.*)\."
| chart values(subnet) by user network
This will create exactly the same result as the previous example.
Extracting loglevel
In our examples, we searched for the raw word
error
. You may have noticed that
many of the events weren't actually errors, but simply contained the word
error
somewhere in the message. For example, given the following events, we probably
only care about the second event:
2012-03-21T18:59:55.472-0500 INFO This is not an error
2012-03-21T18:59:42.907-0500 ERROR Something bad happened
Using an extracted field, we can easily create fields in our data, without re-indexing,
that allow you to search for values that occur in a specific location in your events.
Using the Extract Fields interface
There are several ways to define a field. Let's start by using the
Extract Fields
interface. To access this interface, choose
Extract Fields
from the workflow
actions menu next to any event:
Search WWH ::
Custom Search