This is simple steps to extract a duplicated field from raw data.
1. As you can see below capture, there are same data on existing field and raw data. Let’s make a separated field to have Splunk knows it is different value.
2. Click " Extract Fields"
3. Copy a exact part of field. In this case, it would be "src="222.68.x.x:0"
4. Paste of the wish data on "Example value for a field". It will generate a general expression value for you. Click "Generate"
5. Check data field on yellow backgroup color to see what you are exactly extracting.
6. Regular Expression pattern has been generated
7. Save it as "src_ip"
8. "Close"
9. Now, you see a new "src_ip" filed on interesting fields section.
The www.ipBalance.com runs by a volunteer group with IT professionals and experts at least over 25 years of experience developing and troubleshooting IT in general. ipBalance.com is a free online resource that offers IT tutorials, tools, product reviews, and other resources to help you and your need.
