Re: After creating a field extraction, why do sear...

smhsplunk · ‎10-12-2016

I am trying to extract a keyword from an event

2011-03-11 09:12:00  123   INF-1   ConStopped ::CLIenteleCompletd1_Per

When I am using Field Extraction GUI, I am selecting the complete part ConStopped ::CLIenteleCompletd1_Per for Regular Expression.

It shows all the right events (also in the Matches option) during creation, but when I click on (View in Search) it comes up with over 100+ different types of matches which has nothing to do with this pattern.

In the extraction/transform, it has

^(?:[^ \n]* ){9}(?P<co_complete>.+)

Things I have already done is
(a) Made sure the permission is global across all app
(b) Even tried to use http://splunk:8000/en-US/debug/refresh
(c) During creation, Non-Matches window is empty, also Matches only show this exact event in different time-stamps (no non-matched events to delete)

But nothing improves.

I have a feeling the Splunk regex is not great, but when I try to edit it manually myself, it doesn't work. When I did this previously it also didn't show in the left side panel of search.

gokadroid · ‎10-12-2016

Can you try this:

yourBaseSearch
| rex field=_raw ".\*\s(?< yourField>[^\s]+\s+?::[^\s]+).\*"
|complete your search

yourField should have the data you are looking for. Take care to remove the space in < yourField>

If INF-1 will always be present in your search then alternatively can use this:



yourBaseSearch

| rex field=_raw ".*INF-1\s(?< yourField>[^\s]+\s+?::[^\s]+).*"

| complete your search

somesoni2 · ‎10-12-2016

Based on your one sample event, try this regular expression

^(\S+\s){4}(?<co_complete>.+)

After creating a field extraction, why do search results display different matches that are not related to my field extraction?

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?