Splunk Search

Field Value is not picking in search interface ??

rakesh_498115
Motivator

Hi..

I have created a field in splunk like this .

rex"_Arm(?[a-zA-Z]*)<?"

This Field was successfully created and display in the search results , when i use the top command
But when i use in the searchquery direclty the field with value , it is saying 0 results.

Wat could be the error .Its a strange behvaiour i am exprenceing in splunk after using it for more then 8 months.

My Query with top which is working .

sourectype="Mydata" | top Identifier

My Query with Identifier field which is not working .

sourcetype="Mydata" Identifier="Start" (Not working)

Actually Start, Stop , Resume are the values that come in the field Identifier. Can you pls help ..

My Sample log event ::

2012-12-2111:42:03.542NONEIPUB-OR_P3;JMS_ArmStartPEIINFOE2E.busTxnStage=NOT,E2E.compTxnName=P1,E2E.compTxnID=2hfyuwi494,E2E.from=IPUB-OR,E2E.to=MQREP,E2E.aborted=true,E2E.graphID=1.1.1,E2E.threadID=2hfyrk9v02,E2E.busProcType=notify,E2E.busProcOriginator=GS-SMARTS,E2E.threadID.1=:,E2E.busTxnType=MENNotifications,E2E.busTxnHdr=PCK002069,E2E.busTxnSys=GS-S_MENNotifica,E2E.busTxnLoc=UNKNOWN,E2E.busTxnUsr=wbrkadm,E2E.busTxnSeq=2hfyrk9uxpuuid:e55b1572-1c50-11e2-a5ac-0ae6bdb20000#uuid:fc4c0a04-1c58-11e2-a8e7-0ae6bdb20000-

whose linecount is 1 .

can you pls update !!

Tags (1)
0 Karma

Ayn
Legend

From what I read about your scenario it's very likely that you're affected by the issue that is covered and solved in this blog post: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

NOTE: The blog post says that this is resolved in newer releases but my own testing says otherwise...

Drainy
Champion

I'm slightly confused as neither of those searches actually have the rex command included, anyway. At a guess you aren't extracting the identifier before you try to search for it so maybe do something like;

sourcetype="Mydata" | rex"_Arm(?<identifier>[a-zA-Z]*)<?" | search identifier="Start" | top identifier

Remember that fieldnames are case sensitive so you need to use a little i as that is what you used in your rex command. This search now pulls all Mydata events, creates an identifier field where it can, filters the list down to just the events with the identifier start and then pulls the top.

0 Karma

rakesh_498115
Motivator

Still same problem ..

used my query likethis

sourcetype="Mydata" identifier="Start"

0 Karma

Drainy
Champion

so perhaps a regex of; \_Arm(?<identifier>[^\<]+)\<

0 Karma

Drainy
Champion

Could you paste some example log data? it sounds like the regex is pulling in some extra characters you can't see

0 Karma

rakesh_498115
Motivator

my eventdata linecount for single event is 1 . is that the problem ??

0 Karma

rakesh_498115
Motivator

No Actually i have created that field to my sourcetype using fields manager in field extractions...then its not working for me..when i use Identifier="*Start" it is working..

But not working when i use Identifier="Start" . Actually the value in the Identifier is Start only. i dont understand wats happening here..

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...