Splunk Practice Exercise 12: Configuring Extracted Fields

Introduction

This practice exercise focuses on configuring extracted fields in Splunk.

Step 1: Access Splunk Web

1. Open your web browser and navigate to Splunk Web:

   http://<your server ip>:8000

2. Log in using your credentials.

Step 2: Navigate to Settings

1. In the Splunk Web interface, go to the Settings menu.

Step 3: Configure Extracted Fields

1. Under Settings, select Fields.

2. Click on Field Extractions.

3. Click on New Field Extraction.

4. Fill in the required information:

5. Destination App: Select the appropriate app.

6. Name: Enter a unique name for the extraction, e.g., NewAcctID.

7. Apply to: Choose the appropriate scope sourcetype.

8. Named: Choose the sourcetype vendor_sales.

9. Type: Select Inline.

10. Extraction/Transform: Provide the regular expression or transformation AcctID=(?<NewAcctID>\d+)

11. Click Save to create the extracted field.

Step 4: Apply Extracted Field to Search

1. Go back to the Search & Reporting app.

2. Use the extracted field in your search queries. For example:

   sourcetype=vendor_sales | head 5

3. This should have a newly extracted field named "NewAcctID" which came from the regex AcctID=(?<NewAcctID>\d+) from sourcetype=vendor_sales with which we did earlier.

   

4. We did a fairly simple RegEx by extracting an existing field and you can use a custom RegEx for your own use case.

Conclusion

Congratulations! You have successfully completed the practice exercise, configuring an extracted field in Splunk. Extracted fields allow you to derive valuable information from your raw event data, making it easier to analyze and visualize. Continue to explore and experiment with different extraction methods and configurations to enhance your Splunk skills.