Splunk Filed extraction field interception

Some fields in Splunk event need to be artificially defined as a new field, that is to say there is no field in the original event, this can be achieved by splunk field extraction:

1: Go to the event first and click: extact fields:

2: Then click: Regular expression:

3: Select the IP in the event and give it a name: sec_ip

4: See the screen below, then click Next

5: Same way: define a field: sec_user

6: Once defined, test:

7: You can see that there are fields on the left in the above figure: sec_user, sec_ip appear,

Reference Documentation: Extract fields from files with structured data - Splunk Documentation