Universal Field Extractor

Overview

Details

Highlight some text and Splunk will automatically learn to extract your fields!

keywords: regex, regexes, regular expression, regular expressions, pcre, fields, field extraction, machine learning, ai

Field Extractor and Anonymizer

Teach Splunk to automatically extract fields from your data, by just highlighting text!

Video Walk-through of this app!

Highlights new extractions as well as showing all existing extractions and fields.
Choose to have fields anonymized at index time for security (e.g. passwords, SSNs, IPs, etc).
Extract fields from other fields (e.g. pull out machine-type from host).
Have fields extracted at search-time or index-time.
Edit extraction, Save, Text, and Delete new and existing extractions
Set permissions as public or private.
Shows only the existing extractions for the type of data being analyzed.
Supports multiple indexes and system-wide changes or app specific.
Supports multiple fields extracted from one extraction.
Adds Workflow actions so you can go directly from an event to working on its sourcetype's field extractions

VOTE THIS APP UP!

Release Notes

Version 2.3

May 21, 2014

Supports remote indexes and fixed debugging notice.

Version 2.2

May 20, 2014

Fixed bug when it couldn't find indexes by added support for remote indexes.

Version 2.1

Jan. 15, 2014

updated corner case

Version 2.0

Dec. 24, 2013

Updated modern look.

Version 1.43

July 25, 2013

update packaging

Version 1.45

July 25, 2013

update package

Version 1.50

July 25, 2013

fixed long standing highlighting bug.

Version 1.60

July 25, 2013

Major speed up in getting started, working on regex. Previously the app did a great deal of work to find existing defined regexes, even if the regexes are defined in a different stanza. Now this is an option turned off by default.

Version 1.02

April 4, 2013

updated links to help

Version 1.01

March 15, 2012

FIXED BUG PREVENTING APP FROM WORKING

All working now.
Adds Workflow actions so you can go directly from an event to working on its sourcetype's field extractions

Version 0.997beta

Jan. 17, 2012

Fixes error when existing saved regexes are invalid.

Version 0.996beta

Dec. 15, 2011

Added workflow action to go from search results directly to the field extractor! Updated feedback link.

Version 0.995beta

Dec. 15, 2011

Now you go directly to field extraction from an event with the addition of "Extract Fields (new)" workflow action. When looking at search results on the Splunk search page, find a particular event you wish extract fields from, and select the triangle of actions to the left of the event. You'll be jumped into the new Field Extractor interface pre-filled out with the sourcetype and index of your event.

Version 0.992beta

Sept. 1, 2011

fix problem with logins

Version 0.991beta

Aug. 26, 2011

Updated to prevent CSRF.

Version 0.99beta

June 27, 2011

preemptive patch on possible problem with older releases.

Version 0.98beta

June 14, 2011

remove old functionality causing error in options dialog

Version 0.97beta

June 14, 2011

Fixes an error with the options dialog

Version 0.96beta

May 23, 2011

Fixed problem encountered when a fieldname starts with numbers.

Version 0.95beta

May 16, 2011

Fixed problems on Windows that prevented field extraction.

Version 0.93beta

April 28, 2011

Fixed problem when default index was empty
Added Feedback link.

Please give feedback!

Version 0.91beta

March 28, 2011

Improvements
- more streamlined and intuitive workflow
- added app and index settings
- busy animated gif while page is reloading
- moved common options onto screen, out of options dialog.
- added ? icon with tooltip help
- added "result type": latest, diverse, or outliers, to better show sample events that cover more of the data.

Version 0.9beta

Feb. 17, 2011

12,279

Downloads

Share Subscribe

Version

Built by

David Carasso

Support

Not Supported

Questions on Splunk Answers Flag as inappropriate