Interactive Field Extractor( IFX )in Splunk

Interactive Field Extractor ( IFX ) in Splunk

Hello guys !! We all know that for writing any SPL query we need some fields. Depending upon field values we usually segregate data as per our requirement. So without writing regular expression you can easily extract fields from your data. By the Interactive Field Extractor you can do it very easily.

There are two types of  methods in field extractor by which you can extract fields. Those are following :

  • Regular Expression
  • Delimiters

Regular Expression Method 

If you want to extract some fields from the raw log which is in unstructured format then use Regular Expression method. There are few easy steps by which you can extract fields .

Step 1:

Write index name or any meta-data name by which you can see the logs . Then click on the arrow which you can see besides the events.

a1

Step 2:

Click on Event Actions and then click on Extract Fields . After clicking this option one new tab ( Field Extractor ) will be opened.

a2

Step 3:

Select method as Regular Expression. Then click on Next.

a3

Step 4:

Select exact portion from your data and give a fieldname as you want. Here in the below image I have selected time portion from the data and give field name as TIME . After that click on Add Extraction and then click on Next.

a4

Step 5:

Validate your extracted field also here you can see the regular expression for the extracted field .Splunk by default creates this regular expression and then click on Next. Also you can use this regular expression with the rex command.

a5

Step 6:

After confirming everything click on Finish.

a6

Step 7:

Your extracted field will be saved in Splunk. Now you can see the extracted field in field list.

a7

a8

*********************************************************************************

Delimiters Method

If you want to extract some fields from the raw log which is in structured format then use Delimiter method. There are few easy steps by which you can extract fields .

Step 1:

Write index name or any meta-data name by which you can see the logs . Then click on the arrow which you can see besides the events.

a9

Step 2:

Click on Event Actions and then click on Extract Fields . After clicking this option one new tab ( Field Extractor ) will be opened.

a10

Step 3:

Select method as Delimiters. Then click on Next.

a11

Step 4:

Select one Delimiter. Here we have selected delimiter as Space because all the data in our log is separated by space. 

a12

 Step 5:

Rename all the fields and give proper name as you want. After that click on Next.

a13

a14

Step 6:

After confirming everything click on Finish.

a15

Step 7:

Your extracted field will be saved in Splunk. Now you can see the extracted field in field list.

a16

a17

Hope you can now effectively use the below requirement without fail :

Interactive Field Extractor ( IFX ) in Splunk

 

Happy Splunking  !!

Advertisements

4 comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.