- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- I am able to extract a field with rex in a search,...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I'm using the Splunk Field Extractor in order clean up the my search a bit, and I'm using the following rex extraction which works fine from the search and even from the extraction preview, however, once I save it, it does not appear in my fields. Would anyone happen to know why this is? Thank you in advance
| rex field=source ".*?(?<Machine_Model>9\d\d)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sometimes field extraction doesn't necessary show up after saving it in the GUI (props.conf)
First, to to debug refresh:
http://splunksearchead:8000/debug/refresh
If not, try to restart the splunkd service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Pretty sure that the problem will be in your regular expression; when I do search time field extractions that don't appear in the interesting fields, 100% of the time it's because I've screwed up the RegEx.
What does the line look like you're trying extract MachineModel from?
\d{2} might be a better way of finding "910" if that's what you're looking for, but, it may be the .*? at the start that's breaking the extraction.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sometimes field extraction doesn't necessary show up after saving it in the GUI (props.conf)
First, to to debug refresh:
http://splunksearchead:8000/debug/refresh
If not, try to restart the splunkd service.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Interestingly, they do not appear in props.conf, and I do not have a transforms.conf file. From Splunk Web, it does show global.
[csv2]
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true
[csv]
NO_BINARY_CHECK = true
disabled = false
[CSV_Upload]
SHOULD_LINEMERGE = false
[test_file]
BREAK_ONLY_BEFORE=goblygook
MAX_EVENTS=200000
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
pulldown_type = true
LEARN_MODEL = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
what sourcetype did you use. can you try and delete and recreate and this time, set the permission to app specific and give users read permissions and admin write permissions.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok I checked, and sharing is set to global, and every user role has read and write permissions. the preview from ifx shows that the extraction is working, but when I save it, it no longer works, I.E. it doesn't appear as an extracted field unless I use the rex command to manually extract it, again thank you for helping.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Show us your props.conf and transforms.conf files. If you set it to global, then these should be in $SPLUNK_HOME/etc/system/local/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes in the panel where interesting fields appear, I apologize for not being clear about that. I tried your command and it does not work, also this field appears in 100% of the events, I verified my pattern before using the extraction tool ,and it did seem to pick up on all of them. I was thinking if it might be the fact that I'm using a rex field command, and not rex?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Next thing to check is permissions.
If you go to the menu Settings->Fields->Field Extractions and then select your app context to find your extraction, you'll most likely need to enable permissions on that field. And make sure the sourcetype matches with the sourcetype for the data.
Also verify your regex in ifx.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say it does not appear in fields, Are you referring to the panel on the left where all the interesting fields are listed? The fields listed there are ones that appear in more than 20% of the events. Have you tried the newly created field in search, like | table _time Machine_Model. Does it show up there?
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
