I am trying to create new fields to search across multiple sources. I have two problems:
1. When searching for data of source1, and selecting "create new field", I create a field using regex (I highlight the portion that should be considered a value). SPLUNK takes all the events and applies the field label, but sometimes those are not a match. I need to be able to include only the values that I am interested in, and create a field out of those.
2. When searching across various data sources (say source1 and source2), the values are also mixed up because the columns width vary for different events. I need to exclude some of these values. Basically my problem is my previous question with one added level of complexity.
Thanks much!
↧