The search statement like the following:
host = "*****" | rex field=data.textPyaload "time_ms=(?[\s]+)" | timechart span=1m avg(time_ms)
I can get the statistics in search&reporting app, but in quality monitoring app, there are no results. Is there any limit in quality monitoring app that I can't execute rex command?
what is the "quality monitoring app"?
my thoughts here are that the field extractions for the fields are on app level and therefore you cant see them in your "quality monitoring app"
try and run this from "quality monitring app" ... host=* | fields = data.textPyaload
and verify its extracted correctly
Thank you adonio.
There are many different apps in Splunk enterprise, Quality Monitoring is just one of them. I just use Search&Reporting and Quality Monitoring these two apps.
The problem is that I use the same search statement in these two apps, In Search&Reporting, when I run the search, I can get events and statistics, that's what I want. But in Quality Monitoring, I can get events and it's same as Search&Reporting, but can't get statistics.
The problem is not with the rex
command, which is available to all apps. You are probably using some knowledge object which is part of the Search & Reporting app and is shared only for app (not global) access. Check the permissions settings on the objects you may have created.
Thank you richgalloway,
I guess there is something wrong with permission, because after run the search statement, the events are same in Search&Reporting and Quality Monitoring app, the difference is we can extract value from log in Search&Reporting app, while can't in Quality Monitoring app.
As you said, Check the permissions settings on the objects you may have created. What's your mean of objects.
Knowledge objects are things like eventtypes, tags, field extractions, etc.