Re: Field extract NOT search.

khyoung7410 · ‎01-20-2019

Hi
My data format is as follows.
A=123456789
Field was extracted for every three digits from field A.
My field extract

A=(?P[0-9]{3})(?P[0-9]{3})(?P[0-9]{3})
New field name is A_1, A_2, A_3

The field is extracted but not searched by A_1=123.
My search Ex
index=main sourcetype=test A_1="123"
search not running.....

renjith_nair · ‎01-20-2019

Try named groups

|makeresults|eval A=123456789
|rex field=A "(?<A_1>[0-9]{3})(?<A_2>[0-9]{3})(?<A_3>[0-9]{3})"

This should result three fields A_1,A_2,A_3 and you can search where A_1=123

Happy Splunking!

khyoung7410 · ‎01-20-2019

Hi renjith.nair

But Not searched after registering for field extraction.

Field extract NOT search.