Splunk Search

Event log cannot be fully displayed in Field Extractor

LuiesCui
Communicator

Hey fellow Splunker's. I'm trying to extract some fields from Windows event logs. When I search these logs the content looks great: alt text

But when I want to extract more fields, some of the content just disappear in Field Extractor:
alt text
So I can't get those fields extracted. Any suggestions? Thanks in advanced!

Tags (2)
0 Karma

damann
Communicator

The built in field extractor could work but why don't you build your regex from scratch?
www.regex101.com will help and explain you a lot!

If you provide an example event and describe what you want to have extracted I'm sure that i can help you with that.

0 Karma

skalliger
Motivator

Did you try setting CHARSET = UTF-16 in your props.conf?

Skalli

0 Karma

LuiesCui
Communicator

Hi Skalli, thanks for you reply. I put CHARSET = UTF-16 to the props.conf in my app and still don't see the rest of the content.

0 Karma

lakshman239
Influencer

I believe the splunk's extractor only loads certain number of chars/events.. Have you loaded your event to rex101 [ https://regex101.com/] and tried to extract your required fields?

Another option, would be to setup the universal forwarder to collect the data in XML renderXml=true [ if that's acceptable in your case, as it will show everything in english]

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...