All Apps and Add-ons

Why are my fields not showing after using interactive field extractor?

ulrich_track
Path Finder

I want to extract fields from my log files. Therefore I used the interactive field extractor. A regex was created, I tested and stored it and gave permissions to the search app.

When I enter the search app, my field does not show up.

Even when I select the same sourcetype. The field occurs in 195 of 7000 events.

What did I miss?
Is there also any tutorial on how to use Splunk-specific Regexes (e.g. ?P and that stuff)

0 Karma
1 Solution

ulrich_track
Path Finder

I just found the problem:
I named the FIELDNAME with a hyphen inside (Server-ID).
When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up.
If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

View solution in original post

Runals
Motivator

I recommend using either of the following sites to test your regex. If you load a few example logs there you can see how well it matches.

http://regex101.com

http://www.regexr.com/v1

The other way is to pull your regex out of the transforms and pop it into your search ala

... | rex "<your regex>" | table <rex defined field> _raw

if wanted to get crazy you could do something like the following as it is usually the punctuation that throws of rex statements (maybe just mine =).

... | dedup punct | rex "<your regex>" | table <rex defined field> _raw

The other issue is one of permissions but that is a harder nut to crack.

0 Karma

ulrich_track
Path Finder

I just found the problem:
I named the FIELDNAME with a hyphen inside (Server-ID).
When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up.
If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

ulrich_track
Path Finder

I just found the problem:

I named the FIELDNAME with a hyphen inside.
When deleting the Field Extraction, creating it again but storing under a name without a hyphen, it showed up.

If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

0 Karma

MuS
SplunkTrust
SplunkTrust

can you provide some sample events and the regex used?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...