Splunk Search

Create tag for rex field

bablucho
Path Finder

Hey All,

I get no results found for a tag that looks for fields created by a rex.

So...

sourcetype=DataServices | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"

i get the following field with results

bablucho_0-1634038045003.png


Now i want to bunch some field values together so i create a tag containing the field values i care about

bablucho_1-1634038236278.png


added to my search but i get no results found...

sourcetype=DataServices tag=GB1_BIME | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"

Greatly appreciated if someone could help?

 

Labels (2)
Tags (4)
0 Karma
1 Solution

bowesmana
SplunkTrust
SplunkTrust

I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence

but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.

If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.

You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.

 

View solution in original post

bowesmana
SplunkTrust
SplunkTrust

I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence

but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.

If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.

You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.

 

bablucho
Path Finder

@bowesmana thanks for your input.

I've tried other suggestions i.e placing quotation marks, removing <> but no die.

it seems you are right by documentation that it is not possible due to tags created last during search time operation order.

i will instead use linebreaking to break the events correctly, this way the fields i care about will be created automatically at index time.

richgalloway
SplunkTrust
SplunkTrust

The tag expects the BIMEJob field to have two values at the same time, which is not possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma

bablucho
Path Finder

the BIMEJob field returns multiple values but i want only 2 values as defined in the tag.

 

Apologies i do not understand why it would not return results for the tag as the BIMEJob field does contain the values in the tag, just doesnt show it in the search

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I'm wondering if the angle brackets are interfering with things.  Try putting quotation marks around the right-hand side of each tag pair.

BIMEJob="<ds.scheduler.job>"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...