Using the admin interface to build a field

Taking our pattern from the previous example, we can build the configuration to wire up this extract.

First, click on Settings in the upper menu bar. From there, select Fields. The Fields section contains everything, funnily enough, about fields.

Here you can view, edit, and set permissions on field extractions. Define event workflow actions, field aliases, and even rename source types.

For now, we're interested in Field extractions.

After clicking on Add new to the right of Field extractions, or on the New button after clicking on Field extractions, we are presented with the interface for creating a new field:

Now, we step through the fields:

• Destination app lets us choose the app where this extraction will live and where it will take effect, by default. We will discuss the scope of configurations in Chapter 11, Configuring Splunk.
• Name is simply a display name for the extraction. Make it as descriptive as you like.
• Apply to lets you choose what to bind this extraction to. Your choices are sourcetype, source, and host. The usual choice is sourcetype.
• named is the name of the item we are binding our extraction to.
• Type lets us choose either Inline, which means specifying the regular expression here, or Uses transform, which means we will specify a named transform that exists already in the configuration.
• Extraction/Transform is where we place our pattern if we chose a Type option of Inline, or else the name of a Transform object.

Once you click on Save, you will return to the listing of extractions. By default, your extraction will be private to you and will only function in the application it was created in. If you have the rights to do so, you can share the extraction with other users and change the scope of where it runs. Click on Permissions in the listing to see the permissions page, which most objects in Splunk use:

The top section controls the context in which this extraction will run. Think about when the field would be useful, and limit the extractions accordingly. An excessive number of extractions can affect performance, so it is a good idea to limit the extracts to a specific app when appropriate. We will talk more about creating apps in Chapter 8, Working with Apps.

The second section controls what roles can read or write this configuration. The usual selections are the Read option for the Everyone parameter and the Write option for the admin parameter. As you build objects going forward, you will become very familiar with this dialog. Permissions and security, in general, can be complex and affect where an app will eventually be visible—the reader is advised to take time to review whether the permissions set for apps are actually what is expected.