https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157860#M44471 <P>please provide a sample of the events to verify the rex.</P> Thu, 08 May 2014 22:39:48 GMT yannK 2014-05-08T22:39:48Z https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157859#M44470 <P>I'm trying to get field extractions to show up in the Interesting Fields.</P> <P>My search string is as follows, and it completes successfully:</P> <PRE><CODE>sourcetype=syslog rgw01.lab | rex field=_raw "%SEC-6-IPACCESSLOG.?.: list (?P&lt;log_acl_name&gt;[A-Z]+\:[A-Z]+\:[A-Z]+) \w+ (?P&lt;log_acl_proto&gt;\w+) (?P&lt;log_acl_sip&gt;[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})([(][0-9]+[)] |[ ])-&gt; (?P&lt;log_acl_dip&gt;[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})(?P&lt;log_acl_dport&gt;[(][0-9]+[)][,]|[,])" </CODE></PRE> <P>I would expect these field extractions to show up, but they do not:</P> <PRE><CODE>log_acl_name log_acl_proto log_acl_sip log_acl_dip log_acl_dport </CODE></PRE> <P>I tried adding this to Settings &gt; Fields &gt; Field Extractions, but it still doesn't show up:</P> <PRE><CODE>"%SEC-6-IPACCESSLOG.?.: list (?P&lt;log_acl_name&gt;[A-Z]+\:[A-Z]+\:[A-Z]+) \w+ (?P&lt;log_acl_proto&gt;\w+) (?P&lt;log_acl_sip&gt;[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})([(][0-9]+[)] |[ ])-&gt; (?P&lt;log_acl_dip&gt;[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})(?P&lt;log_acl_dport&gt;[(][0-9]+[)][,]|[,])" </CODE></PRE> <P>I ran this regex through <A href="http://www.regexr.com">www.regexr.com</A> and it matched everything I was interested in, so I used that as a template to construct the rex:</P> <PRE><CODE> %SEC-6-IPACCESSLOG.?.: list [A-Z]+\:[A-Z]+\:[A-Z]+ \w+ \w+ ([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})([(][0-9]+[)] |[ ])-&gt; ([\d]{1,3}\.[\d]{1,3}\.[\d]{1,3}\.[\d]{1,3})([(][0-9]+[)][,]|[,]) </CODE></PRE> <P>Here's some sample events:</P> <PRE><CODE>2014-05-08T11:12:45.910030-04:00 lo21949.rgw01.lab.beanfield.com 193207: rgw01.lab: May 8 11:11:54.420: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.188(37548) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:12:35.937906-04:00 lo21949.rgw01.lab.beanfield.com 193206: rgw01.lab: May 8 11:11:44.448: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.191 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:12:34.843132-04:00 lo21949.rgw01.lab.beanfield.com 193205: rgw01.lab: May 8 11:11:43.350: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.228(55094) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:12:33.806361-04:00 lo21949.rgw01.lab.beanfield.com 193204: rgw01.lab: May 8 11:11:42.316: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.238 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:12:28.053939-04:00 lo21949.rgw01.lab.beanfield.com 193203: rgw01.lab: May 8 11:11:36.561: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.191(53347) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:12:07.076675-04:00 lo21949.rgw01.lab.beanfield.com 193201: rgw01.lab: May 8 11:11:15.584: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.223(58230) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:12:02.141604-04:00 lo21949.rgw01.lab.beanfield.com 193200: rgw01.lab: May 8 11:11:10.649: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.190(46180) -&gt; 172.16.0.4(80), 1 packet 2014-05-08T11:11:53.415260-04:00 lo21949.rgw01.lab.beanfield.com 193199: rgw01.lab: May 8 11:11:01.922: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.238(35810) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:11:37.322462-04:00 lo21949.rgw01.lab.beanfield.com 193198: rgw01.lab: May 8 11:10:45.833: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.249 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:11:36.274565-04:00 lo21949.rgw01.lab.beanfield.com 193197: rgw01.lab: May 8 11:10:44.784: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.191 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:11:35.038938-04:00 lo21949.rgw01.lab.beanfield.com 193196: rgw01.lab: May 8 11:10:43.548: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.228(55093) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:11:32.034399-04:00 lo21949.rgw01.lab.beanfield.com 193195: rgw01.lab: May 8 11:10:40.544: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.190 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:11:29.210428-04:00 lo21949.rgw01.lab.beanfield.com 193194: rgw01.lab: May 8 11:10:37.719: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.248(46516) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:11:21.422505-04:00 lo21949.rgw01.lab.beanfield.com 193193: rgw01.lab: May 8 11:10:29.929: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.249(59616) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:11:04.257287-04:00 lo21949.rgw01.lab.beanfield.com 193191: rgw01.lab: May 8 11:10:12.767: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.190(46178) -&gt; 172.16.0.4(80), 1 packet 2014-05-08T11:10:53.425363-04:00 lo21949.rgw01.lab.beanfield.com 193190: rgw01.lab: May 8 11:10:01.935: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.238(35809) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:10:45.705140-04:00 lo21949.rgw01.lab.beanfield.com 193189: rgw01.lab: May 8 11:09:54.214: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.188(37544) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:10:36.785036-04:00 lo21949.rgw01.lab.beanfield.com 193188: rgw01.lab: May 8 11:09:45.295: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.188 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:10:35.457510-04:00 lo21949.rgw01.lab.beanfield.com 193187: rgw01.lab: May 8 11:09:43.969: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.191 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:10:32.421042-04:00 lo21949.rgw01.lab.beanfield.com 193185: rgw01.lab: May 8 11:09:40.929: %SEC-6-IPACCESSLOGRP: list FILTER:TV:IN permitted igmp 172.23.255.249 -&gt; 224.0.0.22, 1 packet 2014-05-08T11:10:29.186012-04:00 lo21949.rgw01.lab.beanfield.com 193184: rgw01.lab: May 8 11:09:37.695: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.248(46514) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:10:28.054410-04:00 lo21949.rgw01.lab.beanfield.com 193183: rgw01.lab: May 8 11:09:36.561: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.191(53344) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:10:21.628942-04:00 lo21949.rgw01.lab.beanfield.com 193182: rgw01.lab: May 8 11:09:30.139: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.249(59613) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:10:16.498384-04:00 lo21949.rgw01.lab.beanfield.com 193181: rgw01.lab: May 8 11:09:25.008: %SEC-6-IPACCESSLOGP: list FILTER:TV:OUT permitted udp 172.16.5.4(50904) -&gt; 232.16.2.17(2017), 600 packets 2014-05-08T11:10:16.498182-04:00 lo21949.rgw01.lab.beanfield.com 193180: rgw01.lab: May 8 11:09:25.008: %SEC-6-IPACCESSLOGP: list FILTER:TV:OUT permitted udp 172.16.5.15(34829) -&gt; 232.16.2.160(2160), 600 packets 2014-05-08T11:10:06.881113-04:00 lo21949.rgw01.lab.beanfield.com 193178: rgw01.lab: May 8 11:09:15.390: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.223(58228) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:10:04.478482-04:00 lo21949.rgw01.lab.beanfield.com 193177: rgw01.lab: May 8 11:09:12.987: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.190(46177) -&gt; 172.16.0.4(80), 1 packet 2014-05-08T11:09:51.405301-04:00 lo21949.rgw01.lab.beanfield.com 193176: rgw01.lab: May 8 11:08:59.914: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.249(59611) -&gt; 172.16.0.2(80), 1 packet 2014-05-08T11:09:45.901948-04:00 lo21949.rgw01.lab.beanfield.com 193175: rgw01.lab: May 8 11:08:54.412: %SEC-6-IPACCESSLOGP: list FILTER:TV:IN permitted tcp 172.23.255.188(37543) -&gt; 172.16.0.2(80), 1 packet </CODE></PRE> <P>I'm not sure what else I might need to do... Any advice?</P> <P>Thanks.</P> Thu, 08 May 2014 21:49:05 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157859#M44470 jlixfeld 2014-05-08T21:49:05Z https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157860#M44471 <P>please provide a sample of the events to verify the rex.</P> Thu, 08 May 2014 22:39:48 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157860#M44471 yannK 2014-05-08T22:39:48Z https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157861#M44472 <P>Thanks. Original post updated to include sample data.</P> Fri, 09 May 2014 13:57:47 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157861#M44472 jlixfeld 2014-05-09T13:57:47Z https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157862#M44473 <P>I see there is an extra space in your regex before word 'list'. I just removed it and your regex expression worked for your sample logs.</P> Fri, 09 May 2014 14:03:31 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157862#M44473 somesoni2 2014-05-09T14:03:31Z https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157863#M44474 <P>Son of a ... Damn, how careless of me. Thanks, seems to work now.</P> Fri, 09 May 2014 14:21:29 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extractions-not-working/m-p/157863#M44474 jlixfeld 2014-05-09T14:21:29Z