Hi..
I have created a field in splunk like this .
rex"_Arm(?
This Field was successfully created and display in the search results , when i use the top command
But when i use in the searchquery direclty the field with value , it is saying 0 results.
Wat could be the error .Its a strange behvaiour i am exprenceing in splunk after using it for more then 8 months.
My Query with top which is working .
sourectype="Mydata" | top Identifier
My Query with Identifier field which is not working .
sourcetype="Mydata" Identifier="Start" (Not working)
Actually Start, Stop , Resume are the values that come in the field Identifier. Can you pls help ..
My Sample log event ::
whose linecount is 1 .
can you pls update !!
From what I read about your scenario it's very likely that you're affected by the issue that is covered and solved in this blog post: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
NOTE: The blog post says that this is resolved in newer releases but my own testing says otherwise...
I'm slightly confused as neither of those searches actually have the rex command included, anyway. At a guess you aren't extracting the identifier before you try to search for it so maybe do something like;
sourcetype="Mydata" | rex"_Arm(?<identifier>[a-zA-Z]*)<?" | search identifier="Start" | top identifier
Remember that fieldnames are case sensitive so you need to use a little i as that is what you used in your rex command. This search now pulls all Mydata events, creates an identifier field where it can, filters the list down to just the events with the identifier start and then pulls the top.
Still same problem ..
used my query likethis
sourcetype="Mydata" identifier="Start"
so perhaps a regex of; \_Arm(?<identifier>[^\<]+)\<
Could you paste some example log data? it sounds like the regex is pulling in some extra characters you can't see
my eventdata linecount for single event is 1 . is that the problem ??
No Actually i have created that field to my sourcetype using fields manager in field extractions...then its not working for me..when i use Identifier="*Start" it is working..
But not working when i use Identifier="Start" . Actually the value in the Identifier is Start only. i dont understand wats happening here..