Fields tab

Option

Description

Splunk query expression

This field defines the Splunk query. Note that unlike the queries defined in the Splunk user interface, you must start the query with the term: search

For example:

search * | head 100

One capability of Splunk search is field selection. This allows you to get access to Splunk-parsed fields within the _raw column. To select specific fields, use this syntax at the end of your defined search query:

... | field index source OpCode

Execute for each row

If checked, a new query is issued for each row of data coming into the step. You can reference incoming fields of data using the ?{<Field>} syntax. For example, if you want to use the incoming field Size to drive the limit of results coming in, type this:

search *head ?{Size}

Name

Name of the field.

Splunk name

Indicates the Splunk name for the field.

Type

Specifies the data type of the field.

Length

Indicates the length of the field.

Format

Specifies the format of the field.

Get fields

Displays the field metadata and displays it in the Fields tab. After you have detected the field metadata using the Get Fields button on the Fields tab, you may choose to delete metadata fields that are not relevant to your specific query. Since each field must be translated to its mapped data type, removing unused fields should increase performance.

Preview

Provides a first look at the data. Clicking Preview causes the Enter preview size window to appear. Enter the maximum number of records that you want to preview, then click OK. The preview data appears in the Examine preview data window.