Field Definitions and Splunk’s extract Command
The 3.0 version of Splunk has introduced some wonderful new features such as advanced reporting, granular access control and a slew of additional functions to help you search through your IT data. One of these newly released functions is the extract command. This works very nicely with Splunk’s revamped facility to add, view, and access field names. Here is a quick primer on creating field definitions and using the extract command to have those definitions reloaded automatically.
Splunk has always done a great job at allowing you to search on any text from any data source. Splunk even goes one step beyond this and automatically defines named fields data that shows up in a Keyword = Value (KV) pair. If my data contains text that looks like
username=sparky
then Splunk will key in on those values, allowing me to search and report more precisely on those values. For instance I could say
* | where username <> “sparky”
to get back all of the records where sparky did not show up as a username.
But what if my data is not so friendly? Consider an event that looks like this:
Invalid login attempt by sparky on host kinja
