Databases Reference
In-Depth Information
Save
prompts you for a name for your new field. Let's call this field
loglevel
and save it:
Now that we've defined our field, we can use it in a number of ways, as follows:
• We can search for the value using the fieldname, for instance,
loglevel=error
When searching for values by fieldname, the fieldname
is
case sensitive,
but the value
is not
case sensitive. In this case
loglevel=Error
would
work just fine, but
LogLevel=error
would not.
• We can report on the field, whether we searched for it or not. For instance:
sourcetype="impl_splunk_gen" user=mary | top loglevel
• We can search for only events that contain our field:
sourcetype="impl_splunk_gen" user=mary loglevel="*"
Using rex to prototype a field
When defining fields, it is often convenient to build the pattern directly in the query
and then copy the pattern into configuration. You might have noticed that the test in
the Extract fields workflow used
rex
.
Search WWH ::
Custom Search