All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why does the Field Extractor App not just show my events?

michealrp
Path Finder
‎02-15-2013 02:11 PM

One thing that I've noticed, and it may be something that I'm doing incorrectly, but when I search for an event containing, say, "connected from" and I get say 15 results, when I attempt to run the extraction on the results, it pulls everything else in as well. Often more than 1000 lines of information are shown without what I was searching specifically for, being available. The default Splunk extraction utility does the same thing.

For example, in our firewalls, we log packet teardown data as well as the vpn logins. So, if I issue "WEBvpn session started NOT Teardown" I end up with the results that I'm looking for, just the vpn session started events. Then, if I attempt use either the internal extraction utility OR this app, up to 1000 events, regardless if I'm using latest, diverse or outliers, I end up with all of the Teardown information clogging up the results.

Reply
1 Solution
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎02-19-2013 09:48 AM

This is intentional.

In Splunk when you define a regular expression to extract a field, it has to "bind", or apply, to a source, a sourcetype, OR a host. So when you define a regex, it's going to apply to all the events of that source, sourcetype, or host (from which ever one you binded the regex), and not just the 15 that have the "connected from" text. As a result, we want you to see the effect of your regex on all the events it will apply to. If you only see the 15 events you have in mind, you'll not see the potentially disastrous effects it will have on other events.

That said, in the Field Extractor app, you can filter your events to just those that have a particular string (e.g., "connected from"), so that you can see the big picture and also focus in on particular events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

carasso
Splunk Employee
Splunk Employee
‎02-19-2013 09:48 AM

This is intentional.

In Splunk when you define a regular expression to extract a field, it has to "bind", or apply, to a source, a sourcetype, OR a host. So when you define a regex, it's going to apply to all the events of that source, sourcetype, or host (from which ever one you binded the regex), and not just the 15 that have the "connected from" text. As a result, we want you to see the effect of your regex on all the events it will apply to. If you only see the 15 events you have in mind, you'll not see the potentially disastrous effects it will have on other events.

That said, in the Field Extractor app, you can filter your events to just those that have a particular string (e.g., "connected from"), so that you can see the big picture and also focus in on particular events.

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...