All the fields that we have used so far were either indexed fields (such as host, sourcetype, and _time) or fields that were automatically extracted from key=value pairs. Unfortunately, most logs don't follow this format, especially for the first few values in each event. New fields can be created either inline, by using commands, or through configuration.
Most of the ways to create new fields in Splunk involve regular expressions (sometimes referred to as REGEX). As mentioned in the Splunk documentation:
"Regex is a powerful part of the Splunk search interface, and understanding it is an essential component of Splunk search best practices".
There are many books and sites dedicated to regular expressions, so we will only touch upon the subject here. The following examples are really provided for completeness; the Splunk web interface may suffice for most users.
Given the log snippet ip=1.2.3.4, let's pull out the subnet (1.2.3) into a new field...