https://community.splunk.com/t5/Splunk-Search/In-line-rex-not-working-once-moved-to-Field-Extraction/m-p/85383#M21804 <P>As you mentioned: Field Discovery was set to "OFF"</P> <P>Field discovery is the process Splunk uses to extract <B>fields aside from default fields</B> such as host, source, and sourcetype. This means that Splunk only returns information on default fields and fields that are required to fulfill your search (if you are searching on certain fields, it will extract those fields). </P> <P>so you must include <BR /> | fields httpTimeStamp, httpClientIp, httpMethod, httpUri, httpResponseCode, httpBytesDownloaded, httpDownloadTime</P> <P>or mention them in some other explicit way in order for Splunk to extract them when Field Discovery is off. </P> <P>If you were testing with just the sourcetype or with * you wouldn't have seen them.</P> Fri, 05 Apr 2013 01:58:37 GMT rsennett_splunk 2013-04-05T01:58:37Z https://community.splunk.com/t5/Splunk-Search/In-line-rex-not-working-once-moved-to-Field-Extraction/m-p/85382#M21803 <P>Sample log entry:</P> <P><CODE>23:36:15 '99.999.999.999' GET /downloads//999/SomeProduct/GetComponent/Foo.exe 'Private Message' 200 5814120 19.391</CODE></P> <P>Query:</P> <PRE><CODE>"Private Message" | rex "(?&lt;httpTimeStamp&gt;\d\d\:\d\d\:\d\d) \'(?&lt;httpClientIp&gt;\d*\.\d*\.\d*\.\d*)\' (?&lt;httpMethod&gt;\w*) (?&lt;httpUri&gt;[^ ]*) \'CitrixOnline Installer-Downloader\' (?&lt;httpResponseCode&gt;\d+) (?&lt;httpBytesDownloaded&gt;[0-9\-]*) (?&lt;httpDownloadTime&gt;[0-9\.]*)" </CODE></PRE> <P>In line this rex works exactly as I would expect. Because i do not want to type that out every time i need info on http I added to Manager &gt;&gt; Fields &gt;&gt; Field extractions. </P> <P>It looks like this on the Field Extractions browser:</P> <PRE><CODE>http : EXTRACT-SomeName Inline "(?&lt;httpTimeStamp&gt;\d\d\:\d\d\:\d\d) \'(?&lt;httpClientIp&gt;\d*\.\d*\.\d*\.\d*)\' (?&lt;httpMethod&gt;\w*) (?&lt;httpUri&gt;[^ ]*) \'Private Message\' (?&lt;httpResponseCode&gt;\d+) (?&lt;httpBytesDownloaded&gt;[0-9\-]*) (?&lt;httpDownloadTime&gt;[0-9\.]*)" </CODE></PRE> <P>I checked props.conf and everything looks alright.</P> <P>What might i be missing?</P> Thu, 04 Apr 2013 23:49:25 GMT https://community.splunk.com/t5/Splunk-Search/In-line-rex-not-working-once-moved-to-Field-Extraction/m-p/85382#M21803 borisalves 2013-04-04T23:49:25Z https://community.splunk.com/t5/Splunk-Search/In-line-rex-not-working-once-moved-to-Field-Extraction/m-p/85383#M21804 <P>As you mentioned: Field Discovery was set to "OFF"</P> <P>Field discovery is the process Splunk uses to extract <B>fields aside from default fields</B> such as host, source, and sourcetype. This means that Splunk only returns information on default fields and fields that are required to fulfill your search (if you are searching on certain fields, it will extract those fields). </P> <P>so you must include <BR /> | fields httpTimeStamp, httpClientIp, httpMethod, httpUri, httpResponseCode, httpBytesDownloaded, httpDownloadTime</P> <P>or mention them in some other explicit way in order for Splunk to extract them when Field Discovery is off. </P> <P>If you were testing with just the sourcetype or with * you wouldn't have seen them.</P> Fri, 05 Apr 2013 01:58:37 GMT https://community.splunk.com/t5/Splunk-Search/In-line-rex-not-working-once-moved-to-Field-Extraction/m-p/85383#M21804 rsennett_splunk 2013-04-05T01:58:37Z