https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31041#M6390 <P>unfortunately, no.</P> Fri, 27 Aug 2010 02:48:32 GMT carasso 2010-08-27T02:48:32Z https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31038#M6387 <P>I have the following raw AD event which I can see from my search:</P> <PRE><CODE>08/16/2010 12:55:56.0110 dcName=w2k3r2.demo.dev admonEventType=Update Names: objectCategory=CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=demo,DC=dev name=bsmith displayName=$CimsUserVersion2 distinguishedName=CN=bsmith,CN=Users,CN=default,CN=Zones,CN=Centrify,CN=Program Data,DC=demo,DC=dev cn=bsmith Object Details: objectGUID=cffb0829-0642-134c-2ef1-f03cc696e10b whenChanged=20100816195556.0Z whenCreated=20070906020209.0Z objectClass=top|leaf|connectionPoint|serviceConnectionPoint Event Details: uSNChanged=127046 uSNCreated=14129 instanceType=4 Additional Details: keywords=foo:1111|bar:3333|too:3333 showInAdvancedViewOnly=TRUE </CODE></PRE> <P>Whenever I try to use the "Extact Fields" UI, the event is truncated after "Event Details" in the "Sample events" frame. What's preventing me from seeing the entire event?</P> Tue, 17 Aug 2010 03:17:06 GMT https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31038#M6387 mpatnode 2010-08-17T03:17:06Z https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31039#M6388 <P>In order to prevent the limited screen real estate from exploding, sample events are truncated at 15 lines (with at most 100 events). I have filed a request for improvement. </P> <P>From the standard search view, you can still manually test out a regex with the 'rex' search command, and when it works, manually add that regex to your source or sourcetype from the Manager (i.e., Manager » Fields » Field extractions)</P> Tue, 17 Aug 2010 05:55:05 GMT https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31039#M6388 carasso 2010-08-17T05:55:05Z https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31040#M6389 <P>Well that explains that. I did figure out how to use 'rex' as a work around. The next question is can I do dynamic field name generation the same way Splunk does? Something like this:</P> <P>sourcetype="ActiveDirectory" keywords=* | rex field=_raw "keywords=(?&lt;_KEY_1&gt;[a-z]<EM>):(?&lt;_VALUE_1&gt;[0-9]</EM>)</P> Mon, 28 Sep 2020 09:16:05 GMT https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31040#M6389 mpatnode 2020-09-28T09:16:05Z https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31041#M6390 <P>unfortunately, no.</P> Fri, 27 Aug 2010 02:48:32 GMT https://community.splunk.com/t5/Splunk-Search/Missing-Event-details-when-trying-to-Extract-Fields-from-an/m-p/31041#M6390 carasso 2010-08-27T02:48:32Z