https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159624#M45066 <P>I have edited the original question, let me know if that helps.<BR /> Thank you,</P> Wed, 17 Jun 2015 14:01:44 GMT omgwut56k 2015-06-17T14:01:44Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159620#M45062 <P>I have a field value named 'category' the raw values are for example. </P> <P>"Audit Global - ABC - Login and Logout Audit"<BR /> "Audit Global - ABC - Login - SQL Exception"</P> <P>When searching, the values for category are returned as only 'Audit' or the first 5 characters of the raw value. The field extraction is not working correctly for this field. </P> <P>Any ideas on what to look at? </P> <P>Thank you</P> Wed, 17 Jun 2015 13:33:42 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159620#M45062 omgwut56k 2015-06-17T13:33:42Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159621#M45063 <P>Show us your <CODE>configuration files</CODE> and your <CODE>Knowledge Objects</CODE>.</P> Wed, 17 Jun 2015 13:44:52 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159621#M45063 woodcock 2015-06-17T13:44:52Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159622#M45064 <P>hi,<BR /> please can you rephrase your question? because I do not compends you well</P> Wed, 17 Jun 2015 13:46:44 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159622#M45064 gyslainlatsa 2015-06-17T13:46:44Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159623#M45065 <P>Hi Woodcock, I've re-phrased my question, it might not have been phrased very clearly.</P> <P>props only contains a couple of unrelated field extractions and no transforms. Is there something specific you are interested in?</P> Wed, 17 Jun 2015 14:01:25 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159623#M45065 omgwut56k 2015-06-17T14:01:25Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159624#M45066 <P>I have edited the original question, let me know if that helps.<BR /> Thank you,</P> Wed, 17 Jun 2015 14:01:44 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159624#M45066 omgwut56k 2015-06-17T14:01:44Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159625#M45067 <P>This can be done pretty easily if you know when the value ends, i.e. if you know these values are enclosed in some special characters (like category="audit global ... exception") or if you know how the next field name is (like category=audit global ... exception next_field=). For the first case, define an EXTRACT-category in props.conf with the regular expression</P> <PRE><CODE>category="(?&lt;category&gt;[^"]*?)" </CODE></PRE> <P>or for the second do something like</P> <PRE><CODE>category=(?&lt;category&gt;.+?)\s+new_field </CODE></PRE> <P>See <A href="http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Managesearch-timefieldextractions">here</A> for the documentation on how to do those extractions.</P> Wed, 17 Jun 2015 14:04:55 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159625#M45067 jeffland 2015-06-17T14:04:55Z https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159626#M45068 <P>Perfect! Thank you.</P> Wed, 17 Jun 2015 14:22:29 GMT https://community.splunk.com/t5/Splunk-Search/Automatic-field-extraction-is-failing-for-one-field/m-p/159626#M45068 omgwut56k 2015-06-17T14:22:29Z