Splunk Search

Field Extraction

Abha
Explorer

Hi
I extracted a couple of fields from my input data.
However, those fields are not showing on the Fields Sidebar. Though I can view them in the Manager>>Fields>>Field Extractions.
What do I do now?

Tags (2)
0 Karma

wpreston
Motivator

I'd recommend testing your field extractions using the rex command in a search before adding them to the extractions page. Just enter your search terms, followed by | rex "your regular expression field extraction". I usually also follow it with | stats values myFieldName just to make sure I pick up only the values I wanted and don't have to adjust my regex. So for instance, if I were extracting browser from a log, I might use the following search to test my field extraction:

your search terms | rex "userAgent=(?<browser>[^(]+)" | stats values browser
0 Karma

Abha
Explorer

Well I simply created them using the web UI. Since I can only view them in Fields>> Field Extractions..dunno how I could test them..Any ideas?

0 Karma

Drainy
Champion

How did you create the field extracts and have you tested that they work anywhere?

0 Karma

rgcurry
Contributor

I typically create my field extractions by editing the props.conf directly, but I'm a shell bigot. (8->) When ever I cannot see my fields defined in the Fields Sidebar, I realize that I have failed to create metadata for my fields. As you are using the Web UI, I am not certain what might be doing this for you. Do you have access to the file system? Check the metadata/local.meta file in your app's etc/apps directory and assert that it has permissions set for your fields.

0 Karma

Abha
Explorer

Checked the local.meta file. Things seem to be in order there...

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...