| Option | Description |
|---|---|
| Splunk query expression |
This field defines the Splunk query. Note that unlike the queries defined in the Splunk user interface, you must start the query with the term: search For example:
search * | head 100 One capability of Splunk search is field selection. This allows you to get access to Splunk-parsed fields within the _raw column. To select specific fields, use this syntax at the end of your defined search query: ... | field index source OpCode |
| Execute for each row |
If checked, a new query is issued for each row of data coming into the step. You can reference incoming fields of data using the ?{<Field>} syntax. For example, if you want to use the incoming field Size to drive the limit of results coming in, type this: search *head ?{Size} |
| Name | Name of the field. |
| Splunk name | Indicates the Splunk name for the field. |
| Type | Specifies the data type of the field. |
| Length | Indicates the length of the field. |
| Format | Specifies the format of the field. |
| Get fields | Displays the field metadata and displays it in the Fields tab. After you have detected the field metadata using the Get Fields button on the Fields tab, you may choose to delete metadata fields that are not relevant to your specific query. Since each field must be translated to its mapped data type, removing unused fields should increase performance. |
| Preview | Provides a first look at the data. Clicking Preview causes the Enter preview size window to appear. Enter the maximum number of records that you want to preview, then click OK. The preview data appears in the Examine preview data window. |