Interactive Field Extractor ( IFX ) in Splunk
Hello guys !! We all know that for writing any SPL query we need some fields. Depending upon field values we usually segregate data as per our requirement. So without writing regular expression you can easily extract fields from your data. By the Interactive Field Extractor you can do it very easily.
There are two types of methods in field extractor by which you can extract fields. Those are following :
- Regular Expression
- Delimiters
Regular Expression Method
If you want to extract some fields from the raw log which is in unstructured format then use Regular Expression method. There are few easy steps by which you can extract fields .
Step 1:
Write index name or any meta-data name by which you can see the logs . Then click on the arrow which you can see besides the events.
Step 2:
Click on Event Actions and then click on Extract Fields . After clicking this option one new tab ( Field Extractor ) will be opened.
Step 3:
Select method as Regular Expression. Then click on Next.
Step 4:
Select exact portion from your data and give a fieldname as you want. Here in the below image I have selected time portion from the data and give field name as TIME . After that click on Add Extraction and then click on Next.
Step 5:
Validate your extracted field also here you can see the regular expression for the extracted field .Splunk by default creates this regular expression and then click on Next. Also you can use this regular expression with the rex command.
Step 6:
After confirming everything click on Finish.
Step 7:
Your extracted field will be saved in Splunk. Now you can see the extracted field in field list.
*********************************************************************************
Delimiters Method
If you want to extract some fields from the raw log which is in structured format then use Delimiter method. There are few easy steps by which you can extract fields .
Step 1:
Write index name or any meta-data name by which you can see the logs . Then click on the arrow which you can see besides the events.
Step 2:
Click on Event Actions and then click on Extract Fields . After clicking this option one new tab ( Field Extractor ) will be opened.
Step 3:
Select method as Delimiters. Then click on Next.
Step 4:
Select one Delimiter. Here we have selected delimiter as Space because all the data in our log is separated by space.
Step 5:
Rename all the fields and give proper name as you want. After that click on Next.
Step 6:
After confirming everything click on Finish.
Step 7:
Your extracted field will be saved in Splunk. Now you can see the extracted field in field list.
Hope you can now effectively use the below requirement without fail :
Interactive Field Extractor ( IFX ) in Splunk
Happy Splunking !!
[…] In the above query we have extracted time portion from every events as a ATIMESTAMP through interactive field extractor. […]
[…] In the above query we have extracted time portion from every event as a ATIMESTAMP through interactive field extractor. […]
Clearly step by step explained !!
Excellent article to learn about IFX.