https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560714#M159368 <P>Thanks for the quick reply</P><P>But queries return nothing if <STRONG>in event</STRONG> part is added at the end of the line,&nbsp; after removing it they start working again.</P><P>btw, I tried to put entire Regex in quotes then <STRONG>in event</STRONG> part (as u can see in screenshot), and w/o quotes but nothing changed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rabbit_0-1627241285809.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15221i0688F0F7127FDD92/image-size/medium?v=v2&amp;px=400" role="button" title="Rabbit_0-1627241285809.png" alt="Rabbit_0-1627241285809.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 25 Jul 2021 19:28:15 GMT Rabbit 2021-07-25T19:28:15Z https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560686#M159354 <P>in search, w/ <STRONG>rex</STRONG> command I can specify which field I want to apply the Regex as following example<BR />| rex <STRONG>field</STRONG>=event "My Custom regex...."</P><P>But if I want to register the same regex in Field Extraction option (to have it reusable object w/ my team) I don't see any option to specify the field. I assume it register it to entire<STRONG> _raw</STRONG> as default.&nbsp;<BR /><BR />Any idea if I can specify the field when I create a Field with "Field Extraction" ?</P> Sat, 24 Jul 2021 21:42:34 GMT https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560686#M159354 Rabbit 2021-07-24T21:42:34Z https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560691#M159358 <P>Can you save it as a macro that your team can reuse?</P> Sat, 24 Jul 2021 22:47:05 GMT https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560691#M159358 ITWhisperer 2021-07-24T22:47:05Z https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560697#M159363 <P>We're planning to have custom fields so people can directly search by those fields.&nbsp; Field Extraction works well only concern of mine is not able to specify the fields which can cause performance difficulties.</P><P>I assume there is a difference between parsing from only the event versus from entire _raw.&nbsp;&nbsp;<BR /><BR />Also, I don't want to force developers to use&nbsp;<SPAN>back tick character for macro(s).</SPAN></P> Sun, 25 Jul 2021 03:37:12 GMT https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560697#M159363 Rabbit 2021-07-25T03:37:12Z https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560703#M159366 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236788">@Rabbit</a>,</P><P>yes, putting a regex in field extractor it search in all _raw,</P><P>but you can limit the search to an already extracted field (the same thing of field=event in rex command) adding "in event" (without quotes obviously) at the end of the expression, in other words,&nbsp; please try to put this expression in field extractor:</P><LI-CODE lang="markup">My Custom regex.... in event</LI-CODE><P>Ciao.</P><P>Giuseppe</P> Sun, 25 Jul 2021 08:23:55 GMT https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560703#M159366 gcusello 2021-07-25T08:23:55Z https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560714#M159368 <P>Thanks for the quick reply</P><P>But queries return nothing if <STRONG>in event</STRONG> part is added at the end of the line,&nbsp; after removing it they start working again.</P><P>btw, I tried to put entire Regex in quotes then <STRONG>in event</STRONG> part (as u can see in screenshot), and w/o quotes but nothing changed.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Rabbit_0-1627241285809.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/15221i0688F0F7127FDD92/image-size/medium?v=v2&amp;px=400" role="button" title="Rabbit_0-1627241285809.png" alt="Rabbit_0-1627241285809.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Sun, 25 Jul 2021 19:28:15 GMT https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560714#M159368 Rabbit 2021-07-25T19:28:15Z https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560735#M159377 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236788">@Rabbit</a>,</P><P>could you share your regex and a sample of your logs?</P><P>I used many times "in fieldname" in my field extraction.</P><P>Ciao.</P><P>Giuseppe</P> Mon, 26 Jul 2021 06:13:48 GMT https://community.splunk.com/t5/Splunk-Search/specifying-field-in-Field-Extraction/m-p/560735#M159377 gcusello 2021-07-26T06:13:48Z