Extract fields

Next, we'll parse and extract fields from the stock data we are receiving for our new data input.

  1. Click Extract fields on the confirmation page of the wizard or on the app's navigation bar.
  2. Click Restart Now to restart Splunk Enterprise, which is necessary after creating data inputs.
  3. After restarting Splunk Enterprise, the Add-on Builder resumes on the Extract Fields page:

  4. From the Sourcetype list, select the sourcetype we created for our data input, "yahoo_finance".
  5. The data we receive from Yahoo Finance is in JSON format, and the Add-on Builder automatically detects this and displays "JSON" in the Format list.

  6. Click Parse.
  7. The Add-on Builder parses the JSON data and displays the results. Click the plus (+) sign in the data to expand the results and see the fields that have been extracted.

  8. Click Save to save the field extraction results.

>>  Continue to Validate and package the add-on.