Creating and Managing Fields Mod 8 Flashcards
What does Field Auto-Extraction do?
Splunk automatically discovers many fields based on source type and key/value pairs found in the data?
Prior to search time, some fields are already stored with the event in the index, what are those fields?
- Meta fields: host, source, and sourcetype
- Internal fields: _time and _raw
At search time what does the field discovery do?
It discovers fields directly related to the search’s results
True or False: Splunk may also extract other fields from raw event data that aren’t directly related to the search.
True
What allows you to extract your own fields in Splunk?
Using the Field Extractor (FX)
When should you use the Field Extractor (FX)?
Use Field Extractor (FX) to extract fields that are static and that you use often in searches
- GUI
- Extract fields from events using regex or delimiter
- Extracted fields persist as knowledge objects
- Can be shared and re-used in multiple searches
How can you access the Field Extractor?
- Settings
- Fields Sidebar
- Event Acitons menu
When should you use the Field Extraction method Regex?
- use this option when your event contains unstructured data like a system log file
- Field Extractor attempts to extract fields using a Regular Expression that matches similar events
When should you use the Field Extraction method Delimiter?
- use this option when your event contains structured data like a .csv file
- the data doesn’t have headers and the fields must be separated by delimiters (spaces, commas, pipes, tabs, or other characters)
How to do you get to Regex Field Extractions from settings?
- settings
- fields
- Fields extractions
- Open Field Extractor
After you open up the Field Extractor for Regex what are the next steps?
- Select the Data Type
- sourectype
- source - Select the source type
- Select a sample event by clicking on it
- Click Next >
- Select Regular Expression
- Click Next >
- Select the value(s) you want to extract
- Provide a field name
- Click Add Extraction
- Preview the sample events
- Click Next >
- Validate the proper field values are extracted
- Click Next >
- Review the name for the newly extracted fields and set permissions
- Click finish
What events are included in the extraction?
Only events with the highlighted string are extracted
True or False: An extractions name is provided by default.
True, however, this name can be changed.
How do you edit a regex for Field Extraction?
- From Select Method, click Regular Expression
- Click Next >
- Select the field to extract
- Provide a field name
- Click Add Extraction
- Click show Regular Expression >
- Click edit the regular Expression
- Update the regular expression
- Click Save
- Review the extractions name and set permissions
- Click > Finish
True or False: After you edit the regular expression, you cannot go back to the Field Extractor UI.
True
