https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69253#M14033 <P>I'm just a noob but I think the results of the search will be "ORDERID=2646042148." If you need to pass just "2646042148" you might need to rename the ORDERID field to query and return just that. I think I read this on post Ayn responded to once. Your query (subquery actually) would be something like:</P> <PRE><CODE>[ MissingUserData exchange rate | rex "ID :(?&lt;ORDERID&gt;.+)" | rename ORDERID as query | fields query ] </CODE></PRE> <P>I did that for a query where I was looking up IPs in a lookup table and throwing them against some very unstructured data. My query was as follows where the column name in test2.csv was IP. This does impact search performance and like I said I'm a noob so in the interest of full disclosure YMMV </P> <PRE><CODE>index=netflow [| inputlookup test2.csv | rename IP as query | fields query ] </CODE></PRE> <P>Note the following link: <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork">http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork</A></P> Tue, 25 Sep 2012 17:02:27 GMT Runals 2012-09-25T17:02:27Z https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69250#M14030 <P>Here is the search string:</P> <P>MissingUserData exchange rate | rex "ID :(?<ORDERID>.+)" | fields ORDERID</ORDERID></P> <P>This returns 8 records on a specific time frame. But it returns the whole log string.</P> <P>If I add " | fields - _*" </P> <P>to only get the values of ORDERID in the results like this:</P> <P>MissingUserData exchange rate | rex "ID :(?<ORDERID>.+)" | fields ORDERID | fields - _*</ORDERID></P> <P>I get nothing.</P> <P>That behavior just baffles me. Anyone has an idea why that might be?</P> Tue, 25 Sep 2012 00:17:16 GMT https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69250#M14030 sansay 2012-09-25T00:17:16Z https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69251#M14031 <P>"The whole log string" is stored in the field <CODE>_raw</CODE>, so when you do <CODE>| fields - _*</CODE> you're removing that field as well, which is why you're not seeing any events - you should only be seeing your values for <CODE>ORDERID</CODE>.</P> Tue, 25 Sep 2012 06:02:30 GMT https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69251#M14031 Ayn 2012-09-25T06:02:30Z https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69252#M14032 <P>Here is a sample log that shows up, instead of just giving me the values for ORDERID:<BR /> 2012-02-06T03:07:54.739-08:00 lvp-p2-nppaysys01 BibitServer[9081]: WARNING: LogCategory [MissingUserData] No exchange rate for Order ID :2646042148</P> <P>Note that I can get only ORDERID values displayed with:</P> <PRE><CODE>MissingUserData exchange rate | rex "ID :(?&lt;ORDERID&gt;.+)" | fields ORDERID | table ORDERID </CODE></PRE> <P>But then I can't use that to feed it to another search, as it fails.</P> Tue, 25 Sep 2012 16:23:21 GMT https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69252#M14032 sansay 2012-09-25T16:23:21Z https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69253#M14033 <P>I'm just a noob but I think the results of the search will be "ORDERID=2646042148." If you need to pass just "2646042148" you might need to rename the ORDERID field to query and return just that. I think I read this on post Ayn responded to once. Your query (subquery actually) would be something like:</P> <PRE><CODE>[ MissingUserData exchange rate | rex "ID :(?&lt;ORDERID&gt;.+)" | rename ORDERID as query | fields query ] </CODE></PRE> <P>I did that for a query where I was looking up IPs in a lookup table and throwing them against some very unstructured data. My query was as follows where the column name in test2.csv was IP. This does impact search performance and like I said I'm a noob so in the interest of full disclosure YMMV </P> <PRE><CODE>index=netflow [| inputlookup test2.csv | rename IP as query | fields query ] </CODE></PRE> <P>Note the following link: <A href="http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork">http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork</A></P> Tue, 25 Sep 2012 17:02:27 GMT https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69253#M14033 Runals 2012-09-25T17:02:27Z https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69254#M14034 <P>Thank you Runals. You hit it on the nail with your answer.</P> Tue, 25 Sep 2012 18:26:41 GMT https://community.splunk.com/t5/Getting-Data-In/Fields-search-doesn-t-work-when-filtering-internal-fields/m-p/69254#M14034 sansay 2012-09-25T18:26:41Z