Using the Splunk rex and erex Commands with Field Extractions (2024)

Getting data into Splunkis hard enough. After uploading a CSV, monitoring a log file, or forwarding data for indexing, more often than not, the data does not look the way you’d expect it to. The large blocks of unseparated data that are produced when it’s ingested are hard to read and unable to be searched. If the data is not already separated into events, doing so may seem like an uphill battle. Using Splunk field extractions with rex and erex will allow you toparse and perform advanced search commands using fields. This is where field extraction comes in handy.

What is a Field Extraction?

A field extraction enables you to extract additional fields out of your data sources. This enables you to gain more insights from your data so you and other stakeholders can use it to make informed decisions about the business.

Field Extraction via the GUI

Field extractionsin Splunk are the function and result of extracting fields from your event data for both default and custom fields. Field extractions allow you to organize your data in a way that lets you see the results you’re looking for.

How to Perform a Field Extraction

Using the Splunk rex and erex Commands with Field Extractions (3)

Pictured above is one of Splunk’s solutions to extracting searchable fields out of your data via Splunk Web.

  • Step 1:Within the Search and Reporting App, users will see this button available upon search. After clicking, a sample of the file is presented for you to define from events the data. The image below demonstrates this feature of Splunk’s Field Extractor in the GUI, after selecting an event from the sample data.

Using the Splunk rex and erex Commands with Field Extractions (4)

  • Step 2:From here, you have two options: use aregular expressionto separate patterns in your event data into fields, and the ability to separate fields bydelimiter. Delimiters are characters used to separate values such as commas, pipes, tabs, and colons.

Using the Splunk rex and erex Commands with Field Extractions (5)

  • Step 3:If you have selected a delimiter to separate your fields, Splunk will automatically create a tabular view in order to allow you to see what all events properly parsed would look like compared to its_rawdata pictured above.
  • Step 4:You can choose to rename all fields parsed by the selected delimiter. After saving, you will be able to search upon these fields, perform mathematical operations, and advanced SPL commands.

What are Rex and Erex Commands?

After extracting fields, you may find that some fields contain specific data you would like to manipulate, use for calculations, or display by themselves. You can use the Rex and Erex commands to do this.

What is the Rex Commands?

Therexcommandcan be used to create a new field out of any existing field which you have previously defined. This new field will appear in the field sidebar on the Search and Reporting app to be utilized like any other extracted field.

Command Syntax
| rex [field=<field>] (<regex-expression>)</regex-expression></field>

In order to define what your new field name will be called in Splunk, use the following syntax:

| rex [field=<field>] (?<field_name>”regex”)</field_name></field>

What is the Erex Commands?

Theerexcommand allows users to generate regular expressions. Unlike Splunk’s rex and regex commands, erex does not require knowledge of Regex, and instead allows a user to define examples and counter-examples of the data that needs to be matched.

 | erex <field_name> examples="<example>" counterexamples="<example>"</example></example></field_name>

Command Syntax
 | erex Port_Used examples=”Port 8000, Port 3182”

Start Using Field Extractions, Rex, and Erex Commands

A ton of incredible work can be done with your data in Splunk including extracting and manipulating fields in your data. But, you don’t have to master Splunk by yourself in order to get the most value out of it. Small, day-to-day optimizations of your environment can make all the difference in how you understand and use the data in your Splunk environment to manage all the work on your plate.

Cue Expertise on Demand, a service that can help with those Splunk issues and improvements to scale.EODis designed to answer your team’s daily questions and breakthrough stubborn roadblocks. Book a free consultation today, our team of experts is ready to help.

If You Found This Helpful...

This type of work can be a considerable resource expense when executing it in-house. The experts at Kinney Group have several years of experience architecting, creating, and solving in Splunk. With Kinney Group Professional Services, you’ll have access to some of the best and brightest minds to walk you through simple and tough problems as they come up.

Using the Splunk rex and erex Commands with Field Extractions (6)

Helpful? Don't forget to share this post!

Related Articles

Using the transpose Command

August 7, 2024

Using the appendpipe Command

July 31, 2024

Using the transaction Command

July 24, 2024

Using the Splunk rex and erex Commands with Field Extractions (2024)

FAQs

How to use field extractions in Splunk? ›

Add new field extractions in Splunk Web
  1. Select Settings > Fields.
  2. Click Field extractions to go to the field extractions page.
  3. Click New to create a new field extraction.
  4. Define a Destination app context for the field extraction. ...
  5. Give the field extraction a Name, using underscores for spaces between words.
Mar 20, 2023

What is the use of erex command in Splunk? ›

The erex command in Splunk is designed to simplify the process of data extraction when users lack knowledge of the regular expressions required.

What is the difference between Erex and Rex in Splunk? ›

Rex and erex are commands used in Splunk. Rex is used for field extraction using regular expressions, whereas erex assists in creating those regular expressions.

How do I extract a field from an object in Splunk? ›

  1. On your add-on homepage, click Extract Fields on the Add-on Builder navigation bar.
  2. On the Extract Fields page, from Sourcetype, select a source type to parse.
  3. From Format, select the data format of the data. Any detected format type is automatically selected and you can change the format type as needed. ...
  4. Click Parse.
Jun 13, 2022

What is the Rex command in Splunk? ›

The rex command matches the value of the specified field against the unanchored regular expression and extracts the named groups into fields of the corresponding names. When mode=sed , the given sed expression used to replace or substitute characters is applied to the value of the chosen field.

How to extract all fields in Splunk? ›

Access the field extractor from the All Fields dialog box

To get the full set of source types in your Splunk deployment, go to the Field Extractions page in Settings. Run a search that returns events. At the top of the fields sidebar, click All Fields. In the All Fields dialog box, click Extract new fields.

How to make Splunk faster? ›

Improve your searches
  1. Select an index in the first line of your search. ...
  2. Use the TERM directive. ...
  3. Use the tstats command. ...
  4. Avoid using table commands in the middle of searches and instead, place them at the end. ...
  5. Test your search string performance.
Apr 16, 2024

What is the best RAID for Splunk? ›

Raid 5/6/5+ can provide acceptable performance/cost tradeoffs for Splunk when the I/O load is simply not that high. However if there is any chance of the I/O load becoming high enough to tax the supplied storage subsystem, something in the RAID 10, 01, 0+1, 1+0 family will provide drastically superior results.

What are the Splunk commands? ›

Some of the common distributable streaming commands are: eval, fields, makemv, rename, regex, replace, strcat, typer, and where.

What are the 4 types of searches in Splunk by performance? ›

How search types affect Splunk Enterprise performance
Search typeRef. indexer throughputPerformance impact
DenseUp to 50,000 matching events per second.CPU-bound
SparseUp to 5,000 matching events per second.CPU-bound
Super-sparseUp to 2 seconds per index bucket.I/O bound
RareFrom 10 to 50 index buckets per second.I/O bound

What is the most efficient filter in Splunk? ›

One of the best ways to begin filtering events in Splunk is to search for a specific sourcetype by simply including a field-value pair like the following in your Splunk search as early (meaning as far to the left) as possible.

What is an interesting field in Splunk? ›

These are the fields that the Splunk software extracts from your data. When you first run a search the Selected Fields list contains the default fields host, source, and sourcetype. These default fields appear in every event. Interesting Fields are fields that appear in at least 20% of the events.

Which command is used to remove fields in Splunk? ›

If you want to remove specific fields in your data, then: In the Fields function, enter the fields you want to remove from your data in the field_list and type - in the operator field. For example, to remove the source field, type source in the field_list and - in the operator field.

How do I remove data from a field in Splunk? ›

Removing data from Splunk is possible by using the delete command. We first create the search condition to fetch the events we want to mark for delete. Once the search condition is acceptable, we add the delete clause at the end of the command to remove those events from Splunk.

How do I extract fields from events in Splunk? ›

To extract fields from your data, use the Parse with regex function to extract a field with a Java regular expression and add that field as a top-level field in your data. In this example, we'll use the Parse with regex function to extract a game card number from body .

How do you extract information from Splunk? ›

There are three common ways to extract data from Splunk Infrastructure Monitoring: by using SignalFlow, Splunk's streaming analytics API; by using the /timeserieswindow endpoint in the Splunk API; or from the Splunk UI. Each method is summarized below.

Which methods can be used to manually extract fields? ›

Out of the given options, the method that can be used to manually extract fields is Regular Expressions, or RegEx. Regular expressions are a powerful tool for pattern matching and can be used to extract specific fields from a given text.

Top Articles
Latest Posts
Article information

Author: Pres. Carey Rath

Last Updated:

Views: 6224

Rating: 4 / 5 (41 voted)

Reviews: 88% of readers found this page helpful

Author information

Name: Pres. Carey Rath

Birthday: 1997-03-06

Address: 14955 Ledner Trail, East Rodrickfort, NE 85127-8369

Phone: +18682428114917

Job: National Technology Representative

Hobby: Sand art, Drama, Web surfing, Cycling, Brazilian jiu-jitsu, Leather crafting, Creative writing

Introduction: My name is Pres. Carey Rath, I am a faithful, funny, vast, joyous, lively, brave, glamorous person who loves writing and wants to share my knowledge and understanding with you.