https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423975#M6287 <P>Hello, </P> <P>I have input data that has a field named "tag" and Splunk is not extracting this field correctly. Any suggestions are appreciated! <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6932i0F03D6D27EE8F4E7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 23 Apr 2019 17:48:58 GMT grantccarlson 2019-04-23T17:48:58Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423975#M6287 <P>Hello, </P> <P>I have input data that has a field named "tag" and Splunk is not extracting this field correctly. Any suggestions are appreciated! <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6932i0F03D6D27EE8F4E7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 23 Apr 2019 17:48:58 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423975#M6287 grantccarlson 2019-04-23T17:48:58Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423976#M6288 <P>Which column of your csv data is field tag?? Could you share your configuration for field extraction (or sourcetype parsing)?</P> Tue, 23 Apr 2019 18:42:38 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423976#M6288 somesoni2 2019-04-23T18:42:38Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423977#M6289 <P>The "tag" field is the last field in the data. </P> <P>Time,src_user,recipient,subject,file_name,tag<BR /> 4/1/19 10:00,Ty,George,Memo,Virus,email<BR /> 4/2/19 10:00,George,James,Please see!, ,email<BR /> 4/3/19 10:00,Mark,Josephine Daakjy,Memo,Memo,email</P> <P>Here are the first 3 rows of the data. I have removed last names to make the data anonymous. </P> Wed, 30 Sep 2020 00:13:47 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423977#M6289 grantccarlson 2020-09-30T00:13:47Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423978#M6290 <P>What's the sourcetype that you've assigned to this sourcetype? Have you configured anything for the <A href="https://docs.splunk.com/Documentation/SplunkCloud/7.2.4/Data/Extractfieldsfromfileswithstructureddata">CSV field extraction</A>? </P> Tue, 23 Apr 2019 19:36:20 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423978#M6290 somesoni2 2019-04-23T19:36:20Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423979#M6291 <P>The source type is CSV. I did go through the field extractions -&gt; delimiter to try to rename and extract all the fields. So far I am not having any luck with that process either. </P> Tue, 23 Apr 2019 19:53:21 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423979#M6291 grantccarlson 2019-04-23T19:53:21Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423980#M6292 <P>I also tried to extract the fields via the "+Extract New Fields" option at the bottom on the fields list in the UI, but this also does not work. </P> Tue, 23 Apr 2019 20:41:47 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423980#M6292 grantccarlson 2019-04-23T20:41:47Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423981#M6293 <P>I suggest you update your post with WAAAAAAAAAAAAAAAAAAAAAY more detail.</P> Wed, 24 Apr 2019 01:27:45 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423981#M6293 woodcock 2019-04-24T01:27:45Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423982#M6294 <P>What sort of detail do you need? </P> Wed, 24 Apr 2019 02:38:40 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423982#M6294 grantccarlson 2019-04-24T02:38:40Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423983#M6295 <P>A complete do-over. What is your search SPL? What is your expected output? If your data <CODE>has a field named "tag"</CODE>, then why do I not see any evidence of this (I guess this is what you are saying is the problem)? What is the field extraction (from props.conf) that is supposed to create this field? Where in one of your sample raw events is the portion of the event that makes up the value for its <CODE>tag</CODE> field.</P> Wed, 24 Apr 2019 06:45:51 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423983#M6295 woodcock 2019-04-24T06:45:51Z https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423984#M6296 <P>You are likely going to run into an issue of having a "reserved" field name like tag, eventtype etc. where the extracted field tag is possibly going to be confused with Splunk tags. The suggestion would be to rename field at the source csv or have an explicit field extraction to help you.</P> <P>This might help : <A href="https://answers.splunk.com/answers/659101/is-there-a-list-of-unusable-field-names.html">https://answers.splunk.com/answers/659101/is-there-a-list-of-unusable-field-names.html</A></P> Wed, 24 Apr 2019 07:52:54 GMT https://community.splunk.com/t5/Knowledge-Management/Field-extraction-failing/m-p/423984#M6296 vik_splunk 2019-04-24T07:52:54Z