Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Fields search doesn't work when filtering internal...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fields search doesn't work when filtering internal fields
Here is the search string:
MissingUserData exchange rate | rex "ID :(?
This returns 8 records on a specific time frame. But it returns the whole log string.
If I add " | fields - _*"
to only get the values of ORDERID in the results like this:
MissingUserData exchange rate | rex "ID :(?
I get nothing.
That behavior just baffles me. Anyone has an idea why that might be?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm just a noob but I think the results of the search will be "ORDERID=2646042148." If you need to pass just "2646042148" you might need to rename the ORDERID field to query and return just that. I think I read this on post Ayn responded to once. Your query (subquery actually) would be something like:
[ MissingUserData exchange rate | rex "ID :(?<ORDERID>.+)" | rename ORDERID as query | fields query ]
I did that for a query where I was looking up IPs in a lookup table and throwing them against some very unstructured data. My query was as follows where the column name in test2.csv was IP. This does impact search performance and like I said I'm a noob so in the interest of full disclosure YMMV
index=netflow [| inputlookup test2.csv | rename IP as query | fields query ]
Note the following link: http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you Runals. You hit it on the nail with your answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"The whole log string" is stored in the field _raw, so when you do | fields - _* you're removing that field as well, which is why you're not seeing any events - you should only be seeing your values for ORDERID.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a sample log that shows up, instead of just giving me the values for ORDERID:
2012-02-06T03:07:54.739-08:00 lvp-p2-nppaysys01 BibitServer[9081]: WARNING: LogCategory [MissingUserData] No exchange rate for Order ID :2646042148
Note that I can get only ORDERID values displayed with:
MissingUserData exchange rate | rex "ID :(?<ORDERID>.+)" | fields ORDERID | table ORDERID
But then I can't use that to feed it to another search, as it fails.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
