Module 7: Creating and Managing Fields

Question 1

What does Field Auto-Extraction do?

Answer 1

Splunk automatically discovers many fields based on source type and key/value pairs found in the data?

Question 2

Prior to search time, some fields are already stored with the event in the index, what are those fields?

Answer 2

• Meta fields: host, source, and sourcetype

- Internal fields: _time and _raw

Question 3

At search time what does the field discovery do?

Answer 3

It discovers fields directly related to the search’s results

Question 4

True or False: Splunk may also extract other fields from raw event data that aren’t directly related to the search.

Answer 4

True

Question 5

What allows you to extract your own fields in Splunk?

Answer 5

Using the Field Extractor (FX)

Question 6

When should you use the Field Extractor (FX)?

Answer 6

Use Field Extractor (FX) to extract fields that are static and that you use often in searches

• GUI
• Extract fields from events using regex or delimiter
• Extracted fields persist as knowledge objects
• Can be shared and re-used in multiple searches

Question 7

How can you access the Field Extractor?

Answer 7

• Settings
• Fields Sidebar
• Event Acitons menu

Question 8

When should you use the Field Extraction method Regex?

Answer 8

• use this option when your event contains unstructured data like a system log file
• Field Extractor attempts to extract fields using a Regular Expression that matches similar events

Question 9

When should you use the Field Extraction method Delimiter?

Answer 9

• use this option when your event contains structured data like a .csv file
• the data doesn’t have headers and the fields must be separated by delimiters (spaces, commas, pipes, tabs, or other characters)

Question 10

How to do you get to Regex Field Extractions from settings?

Answer 10

• settings
• fields
• Fields extractions
• Open Field Extractor

Question 11

After you open up the Field Extractor for Regex what are the next steps?

Answer 11

1. Select the Data Type
   - sourectype
   - source
2. Select the source type
3. Select a sample event by clicking on it
4. Click Next >
5. Select Regular Expression
6. Click Next >
7. Select the value(s) you want to extract
8. Provide a field name
9. Click Add Extraction
10. Preview the sample events
11. Click Next >
12. Validate the proper field values are extracted
13. Click Next >
14. Review the name for the newly extracted fields and set permissions
15. Click finish

Question 12

What events are included in the extraction?

Answer 12

Only events with the highlighted string are extracted

Question 13

True or False: An extractions name is provided by default.

Answer 13

True, however, this name can be changed.

Question 14

How do you edit a regex for Field Extraction?

Answer 14

1. From Select Method, click Regular Expression
2. Click Next >
3. Select the field to extract
4. Provide a field name
5. Click Add Extraction
6. Click show Regular Expression >
7. Click edit the regular Expression
8. Update the regular expression
9. Click Save
10. Review the extractions name and set permissions
11. Click > Finish

Question 15

True or False: After you edit the regular expression, you cannot go back to the Field Extractor UI.

Answer 15

True

Question 16

When should you use Delimited Field Extractions?

Answer 16

Use delimited field extractions when the event log does not have a header and fields are separated by spaces, commas, or characters

Question 17

Delimited field extractions from settings.

Answer 17

• Settings
• Fields
• Field Extractions
• Open Field Extractor

Question 18

After opening field extractor what do you do next to finish?

Answer 18

1. Select the data type
   - sourcetype
   - source
2. Select the source type
3. Select a sample event
4. Click Next >
5. Select Delimiters
6. Click Next >
7. Select the Delimiter used in your event
8. Click the pencil icon next to the default field name
9. Enter a new field name
10. Click rename field
11. Repeat these steps for all fields
12. After all the fields are renamed, click Next>
13. Name your extraction
14. Click Finish>