Splunk Search

Create tag for rex field

bablucho
Path Finder

Hey All,

I get no results found for a tag that looks for fields created by a rex.

So...

sourcetype=DataServices | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"

i get the following field with results

bablucho_0-1634038045003.png


Now i want to bunch some field values together so i create a tag containing the field values i care about

bablucho_1-1634038236278.png


added to my search but i get no results found...

sourcetype=DataServices tag=GB1_BIME | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"

Greatly appreciated if someone could help?

 

Labels (2)
Tags (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence

but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.

If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.

You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence

but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.

If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.

You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.

 

bablucho
Path Finder

@bowesmana thanks for your input.

I've tried other suggestions i.e placing quotation marks, removing <> but no die.

it seems you are right by documentation that it is not possible due to tags created last during search time operation order.

i will instead use linebreaking to break the events correctly, this way the fields i care about will be created automatically at index time.

richgalloway
SplunkTrust
SplunkTrust

The tag expects the BIMEJob field to have two values at the same time, which is not possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bablucho
Path Finder

the BIMEJob field returns multiple values but i want only 2 values as defined in the tag.

 

Apologies i do not understand why it would not return results for the tag as the BIMEJob field does contain the values in the tag, just doesnt show it in the search

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm wondering if the angle brackets are interfering with things.  Try putting quotation marks around the right-hand side of each tag pair.

BIMEJob="<ds.scheduler.job>"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...