Splunk Search

Field Extraction

Explorer

Hi
I extracted a couple of fields from my input data.
However, those fields are not showing on the Fields Sidebar. Though I can view them in the Manager>>Fields>>Field Extractions.
What do I do now?

Tags (2)
0 Karma

Motivator

I'd recommend testing your field extractions using the rex command in a search before adding them to the extractions page. Just enter your search terms, followed by | rex "your regular expression field extraction". I usually also follow it with | stats values myFieldName just to make sure I pick up only the values I wanted and don't have to adjust my regex. So for instance, if I were extracting browser from a log, I might use the following search to test my field extraction:

your search terms | rex "userAgent=(?<browser>[^(]+)" | stats values browser
0 Karma

Explorer

Well I simply created them using the web UI. Since I can only view them in Fields>> Field Extractions..dunno how I could test them..Any ideas?

0 Karma

Champion

How did you create the field extracts and have you tested that they work anywhere?

0 Karma

Contributor

I typically create my field extractions by editing the props.conf directly, but I'm a shell bigot. (8->) When ever I cannot see my fields defined in the Fields Sidebar, I realize that I have failed to create metadata for my fields. As you are using the Web UI, I am not certain what might be doing this for you. Do you have access to the file system? Check the metadata/local.meta file in your app's etc/apps directory and assert that it has permissions set for your fields.

0 Karma

Explorer

Checked the local.meta file. Things seem to be in order there...

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!