All Apps and Add-ons
Highlighted

Field extractions not creating fields at search time

Path Finder

So I've been working on a particularly complicated and convoluted set of log files that require a bit of regex work to be done. weve gotten the field extraction page to grab the right fields, and even test the rex on the data set, first head 10000 and then no head at all, and it works fine. however once we save the extractions we get nothing, no fields ever show up, ever if we tell it to show fields with no related records. any idea what we are missing here?

Edit:__
all extractions are in the search app, but are given global permissions.

We have restarted or Splunk server several times, a few of the extractions from our transforms file show up but that's it.

As for our formatting the field extractor builds them and we will click the test button and it works just fine in the testing window, but it's exactly when we save it that it just disappears.

We just updated to Splunk ver6 are we missing some configurations?

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

Champion

are they saved in the same app you are using?

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

Path Finder

yes they are, everything is inside the search app, and they all have global permissions.

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

SplunkTrust
SplunkTrust

Just try restarting splunk. I had it working so many times doing that.

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

Ultra Champion

You don't have any hyphens in the field names?

problem: my-new-field
will work: mynewfield
will work: myNewField

Post the configs also, so that you can get help with debugging. You should be aware that there will be slight differences in the regex, depending on whether you use it in a props.conf EXTRACT, or in a rex statement in the search query. (mainly to handle escaping)

/k

Highlighted

Re: Field extractions not creating fields at search time

Path Finder

We have restarted or Splunk server several times, a few of the extractions from our transforms file show up but that's it.

As for our formatting the field extractor builds them and we will click the test button and it works just fine in the testing window, but it's exactly when we save it that it just disappears.

We just updated to Splunk ver6 are we missing some configurations?

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

Ultra Champion

Do you give the fields names with hyphens?

Highlighted

Re: Field extractions not creating fields at search time

Path Finder

No hyphens in the field names, but some names do contain spaces.

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

Path Finder

Wait a minute.. That makes me an idiot, ok editing my extractions now to kill all of those! Thanks for your help!

0 Karma
Highlighted

Re: Field extractions not creating fields at search time

Path Finder

Because of how detailed the fields are I was using multiple words to name them and was inadvertently adding spaces to my field names causing them to not work after saving them. Thanks Kristian!

View solution in original post