Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field Extraction and Search Not Syncing Properly
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am having a problem where I can extract a field, but when using that field in the search it will not return results. I believe I have narrowed the problem down to being an issue with me removing part of the word that is unneeded (it is the same on each field).
Here is an example:
^.*Test(?<extracted>[^:]).*$
TestOne returns 'One', TestTwo returns 'Two', etc.
But when I search using extracted it will fail unless I do one of the following (which both I would prefer to avoid):
Change the regex:
^.*(?<extracted>Test[^:]).*$
TestOne returns 'TestOne', TestTwo returns 'TestTwo', etc.
Add a wildcard at the front of the search: extracted="*One" to get all 'TestOne'
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're probably seeing the effects of what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Basically Splunk breaks down event data into individual segments and uses those for searching. When you define extractions that do not correspond to any segment Splunk won't find anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're probably seeing the effects of what is described here: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Basically Splunk breaks down event data into individual segments and uses those for searching. When you define extractions that do not correspond to any segment Splunk won't find anything.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I was incorrect. I had changed the regex temporarily so that the reports would work correctly and forgot to change them back for the test. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't believe this is the answer. In the document it says that I should be able to search using Myfield="*" | search="Valid" and it would work. However, this doesn't work for mine either.
Edit: Just wanted to clarify, this isn't necessarily wrong. I just think there is more to the answer as the test still fails for me.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
