Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create tag for rex field

bablucho
Path Finder
‎10-12-2021 04:36 AM

Hey All,

I get no results found for a tag that looks for fields created by a rex.

So...

sourcetype=DataServices | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"

i get the following field with results

bablucho_0-1634038045003.png


Now i want to bunch some field values together so i create a tag containing the field values i care about

bablucho_1-1634038236278.png


added to my search but i get no results found...

sourcetype=DataServices tag=GB1_BIME | rex "JOB: Job (?<BIMEJob><(?<=<).*(?=>)>)"

Greatly appreciated if someone could help?

 

Labels (2)
Labels
Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-12-2021 02:26 PM

I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence

but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.

If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.

You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎10-12-2021 02:26 PM

I didn't think you could have tags created during the search based on statements that occur in search. There is a defined order of search time operations, where tags are created last

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Searchtimeoperationssequence

but if you start doing rex statements during your query, I don't think Splunk will then recalculate tags again based on new fields you have created.

If you want to create tags, then create the BIMEJob field as a field extraction, so it will be available before the tags are created. However, I suspect @richgalloway answer that the two definitions not being supported will still hold true.

You could however, create an eventtype where you have the two conditions BIMEJob=A OR BIMEJob=B and then assign the tag to the eventtype, but this would again have to be done pre search.

 

Reply
Solved! Jump to solution

bablucho
Path Finder
‎10-19-2021 06:32 AM

@bowesmana thanks for your input.

I've tried other suggestions i.e placing quotation marks, removing <> but no die.

it seems you are right by documentation that it is not possible due to tags created last during search time operation order.

i will instead use linebreaking to break the events correctly, this way the fields i care about will be created automatically at index time.

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2021 05:54 AM

The tag expects the BIMEJob field to have two values at the same time, which is not possible.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

bablucho
Path Finder
‎10-12-2021 07:21 AM

the BIMEJob field returns multiple values but i want only 2 values as defined in the tag.

 

Apologies i do not understand why it would not return results for the tag as the BIMEJob field does contain the values in the tag, just doesnt show it in the search

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-12-2021 08:17 AM

I'm wondering if the angle brackets are interfering with things.  Try putting quotation marks around the right-hand side of each tag pair.

BIMEJob="<ds.scheduler.job>"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...