Hey All,
I get no results found for a tag that looks for fields created by a rex.
So...
sourcetype=DataServices | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"
i get the following field with results
Now i want to bunch some field values together so i create a tag containing the field values i care about
added to my search but i get no results found...
sourcetype=DataServices tag=GB1_BIME | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"
Greatly appreciated if someone could help?
I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last
https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence
but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.
If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.
You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.
I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last
https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence
but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.
If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.
You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.
@bowesmana thanks for your input.
I've tried other suggestions i.e placing quotation marks, removing <> but no die.
it seems you are right by documentation that it is not possible due to tags created last during search time operation order.
i will instead use linebreaking to break the events correctly, this way the fields i care about will be created automatically at index time.
The tag expects the BIMEJob field to have two values at the same time, which is not possible.
the BIMEJob field returns multiple values but i want only 2 values as defined in the tag.
Apologies i do not understand why it would not return results for the tag as the BIMEJob field does contain the values in the tag, just doesnt show it in the search
I'm wondering if the angle brackets are interfering with things. Try putting quotation marks around the right-hand side of each tag pair.
BIMEJob="<ds.scheduler.job>"