Splunk Search

After creating field extractions using the field extractor in Splunk Web, why are none of the fields returned in search results?

dbcase
Motivator

Hi,

First time trying this. I have the below data. Using the | character as a delimiter, then going thru the field extractor GUI, it extracts 5 fields. So far so good. Then I rename 3 of the fields to a more descriptive name. Then it asks me to save it which I do, then there is an option to do a search with the fields I've just defined. I click on it and it shows a search, but none of the fields I just defined are there. Very strange. What am I missing?

15:15:55.664 | [[ACTIVE] ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] | DEBUG | splunk - | {'externalRefId':'exr654321','message':'RMA service return 202','serverResponseTimeMs':'143'}
0 Karma
1 Solution

dbcase
Motivator

found a way to get this to work..... Cleared out all the events and recreated new ones. Then the field extractor worked....better, not perfect but much better than before

View solution in original post

0 Karma

dbcase
Motivator

found a way to get this to work..... Cleared out all the events and recreated new ones. Then the field extractor worked....better, not perfect but much better than before

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...