All Apps and Add-ons

Why are my fields not showing after using interactive field extractor?

ulrich_track
Path Finder

I want to extract fields from my log files. Therefore I used the interactive field extractor. A regex was created, I tested and stored it and gave permissions to the search app.

When I enter the search app, my field does not show up.

Even when I select the same sourcetype. The field occurs in 195 of 7000 events.

What did I miss?
Is there also any tutorial on how to use Splunk-specific Regexes (e.g. ?P and that stuff)

0 Karma
1 Solution

ulrich_track
Path Finder

I just found the problem:
I named the FIELDNAME with a hyphen inside (Server-ID).
When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up.
If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

View solution in original post

Runals
Motivator

I recommend using either of the following sites to test your regex. If you load a few example logs there you can see how well it matches.

http://regex101.com

http://www.regexr.com/v1

The other way is to pull your regex out of the transforms and pop it into your search ala

... | rex "<your regex>" | table <rex defined field> _raw

if wanted to get crazy you could do something like the following as it is usually the punctuation that throws of rex statements (maybe just mine =).

... | dedup punct | rex "<your regex>" | table <rex defined field> _raw

The other issue is one of permissions but that is a harder nut to crack.

0 Karma

ulrich_track
Path Finder

I just found the problem:
I named the FIELDNAME with a hyphen inside (Server-ID).
When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up.
If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

ulrich_track
Path Finder

I just found the problem:

I named the FIELDNAME with a hyphen inside.
When deleting the Field Extraction, creating it again but storing under a name without a hyphen, it showed up.

If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

0 Karma

MuS
SplunkTrust
SplunkTrust

can you provide some sample events and the regex used?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...