https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58762#M14409 <P>Make sure the drop down on the top left isn't filtering your selection. It should be showing you much more than 18 lines.</P> <P>In my opinion, the field extractor doesn't work very well. A better option is to extract fields using <B>rex</B>.</P> <P><A href="http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Rex" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Rex</A></P> <P>Use <B>rex field=_raw</B>. Once i figured out how to do this I never found the need to use the field extractor again. Also, once you get a working regex working you can create a new field in the manager/fields to make it permanent. This was a little tricky at first so let me know if you get stuck and i can explain how to use it...if you decide to do so.</P> <P>I-Man</P> Tue, 15 Mar 2011 01:47:08 GMT I-Man 2011-03-15T01:47:08Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58761#M14408 <P>I'm trying to use the field extraction tool. The problem is that the field I want to extract is about 18 lines down and the field extraction tool is showing me about 15 lines. Is there a config option to allow more lines to be visible?</P> Tue, 15 Mar 2011 01:34:20 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58761#M14408 nocostk 2011-03-15T01:34:20Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58762#M14409 <P>Make sure the drop down on the top left isn't filtering your selection. It should be showing you much more than 18 lines.</P> <P>In my opinion, the field extractor doesn't work very well. A better option is to extract fields using <B>rex</B>.</P> <P><A href="http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Rex" rel="nofollow">http://www.splunk.com/base/Documentation/4.1.7/SearchReference/Rex</A></P> <P>Use <B>rex field=_raw</B>. Once i figured out how to do this I never found the need to use the field extractor again. Also, once you get a working regex working you can create a new field in the manager/fields to make it permanent. This was a little tricky at first so let me know if you get stuck and i can explain how to use it...if you decide to do so.</P> <P>I-Man</P> Tue, 15 Mar 2011 01:47:08 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58762#M14409 I-Man 2011-03-15T01:47:08Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58763#M14410 <P>The built-in Interactive Field Extractor (IFX) does indeed limit the display to 15 lines to prevent the browser from being abused.</P> <P>There is a new field extractor tool, which is a separate 4.2 Splunk app. It will solve your problem. Among other improvements, it has an options dialog that allows you to specify the maximum lines per event to show.</P> <P><A href="http://splunkbase.splunk.com/apps/All/4.x/App/app:Field+Extractor" rel="nofollow">http://splunkbase.splunk.com/apps/All/4.x/App/app:Field+Extractor</A></P> <P><STRONG>editor's note:</STRONG> Field Extractor App now at <A href="http://apps.splunk.com/app/494/">http://apps.splunk.com/app/494/</A>, per below comment.</P> <P>Some benefits of the new tool:</P> <UL> <LI>Hightlights new extractions as well as showing all existing extractions and fields.</LI> <LI>Extract fields from other fields (e.g. pull out machine-type from host).</LI> <LI>Edit extraction, Save, Text, and Delete new and existing extractions</LI> <LI>Set permissions as public or private.</LI> <LI>Supports multiple indexes, and system-wide or app-specific changes.</LI> <LI>Supports multiple fields extracted from one regex.</LI> </UL> <P>The tool is still young and any feedback would be appreciated.</P> Tue, 29 Mar 2011 05:36:01 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58763#M14410 carasso 2011-03-29T05:36:01Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58764#M14411 <P>Sadly, the link referenced in Carsso's answer is no longer active. Happily, the app is still on "Apps" @ <A href="http://apps.splunk.com/app/494/">http://apps.splunk.com/app/494/</A></P> Tue, 24 Jun 2014 12:48:16 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58764#M14411 bwooden 2014-06-24T12:48:16Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58765#M14412 <P>Note the app seems to not have been updated since 2014, might be an issue with 8.0 update to Python 3.x</P> Mon, 20 Apr 2020 19:09:55 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-tool-not-showing-whole-event/m-p/58765#M14412 avery2007 2020-04-20T19:09:55Z