https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474168#M133387 <P>Hi all</P> <P>I have event like that.<BR /> 2019-10-26 15:00:09.158, servicename="ROOT2", area="SCP", place="tokyo", path="AAA12345", Default="B", Sn="B", SC="B", update="person"</P> <P>"path" "place" "area" "servicename" and "Sn" are automatically appear in the field.<BR /> When a field is specified, a value such as B appears.</P> <P>But 　"SC" did not appear automatically. I think it is few.</P> <P>I need value like B.<BR /> I want to make table.</P> <PRE><CODE>index=main |table path, area, Sn, SC </CODE></PRE> <P>path,area,Sn,SC<BR /> AAA12345,tokyo,B,B<BR /> AAA23456,osaka,A,A<BR /> AAA34567,nagoya,C,A</P> <P>What should I do?</P> <P>Thank you for helping.</P> Fri, 01 Nov 2019 08:39:55 GMT nanachu 2019-11-01T08:39:55Z https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474168#M133387 <P>Hi all</P> <P>I have event like that.<BR /> 2019-10-26 15:00:09.158, servicename="ROOT2", area="SCP", place="tokyo", path="AAA12345", Default="B", Sn="B", SC="B", update="person"</P> <P>"path" "place" "area" "servicename" and "Sn" are automatically appear in the field.<BR /> When a field is specified, a value such as B appears.</P> <P>But 　"SC" did not appear automatically. I think it is few.</P> <P>I need value like B.<BR /> I want to make table.</P> <PRE><CODE>index=main |table path, area, Sn, SC </CODE></PRE> <P>path,area,Sn,SC<BR /> AAA12345,tokyo,B,B<BR /> AAA23456,osaka,A,A<BR /> AAA34567,nagoya,C,A</P> <P>What should I do?</P> <P>Thank you for helping.</P> Fri, 01 Nov 2019 08:39:55 GMT https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474168#M133387 nanachu 2019-11-01T08:39:55Z https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474169#M133388 <P>You can use regex in the query for extracting 'SC' value.<BR /> ex:</P> <PRE><CODE>SC=\"(?&lt;sc&gt;\w*)\" </CODE></PRE> Fri, 01 Nov 2019 08:59:42 GMT https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474169#M133388 ansusabu 2019-11-01T08:59:42Z https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474170#M133389 <P>Thank you for helping.<BR /> but, it does not work well.</P> Tue, 05 Nov 2019 01:23:55 GMT https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474170#M133389 nanachu 2019-11-05T01:23:55Z https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474171#M133390 <P>Add this as the first pipe in your SPL:</P> <PRE><CODE>... | rex "SC=\"(?&lt;SC&gt;[^\"]+)\" ... </CODE></PRE> Tue, 05 Nov 2019 03:07:39 GMT https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474171#M133390 woodcock 2019-11-05T03:07:39Z https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474172#M133391 <P>when I used |rex field=_raw<BR /> It work well.<BR /> Thank you.</P> Wed, 06 Nov 2019 09:10:30 GMT https://community.splunk.com/t5/Splunk-Search/does-not-appear-in-the-field/m-p/474172#M133391 nanachu 2019-11-06T09:10:30Z