Splunk Search

I am able to extract a field with rex in a search, but why does it not appear in Interesting Fields when I save it as a field extraction?

raby1996
Path Finder

Hi all,

I'm using the Splunk Field Extractor in order clean up the my search a bit, and I'm using the following rex extraction which works fine from the search and even from the extraction preview, however, once I save it, it does not appear in my fields. Would anyone happen to know why this is? Thank you in advance

| rex field=source ".*?(?<Machine_Model>9\d\d)"
0 Karma
1 Solution

ehudb
Contributor

Sometimes field extraction doesn't necessary show up after saving it in the GUI (props.conf)
First, to to debug refresh:

http://splunksearchead:8000/debug/refresh

If not, try to restart the splunkd service.

View solution in original post

howyagoin
Contributor

Pretty sure that the problem will be in your regular expression; when I do search time field extractions that don't appear in the interesting fields, 100% of the time it's because I've screwed up the RegEx.

What does the line look like you're trying extract MachineModel from?

\d{2} might be a better way of finding "910" if that's what you're looking for, but, it may be the .*? at the start that's breaking the extraction.

0 Karma

ehudb
Contributor

Sometimes field extraction doesn't necessary show up after saving it in the GUI (props.conf)
First, to to debug refresh:

http://splunksearchead:8000/debug/refresh

If not, try to restart the splunkd service.

raby1996
Path Finder

Interestingly, they do not appear in props.conf, and I do not have a transforms.conf file. From Splunk Web, it does show global.

[csv2]
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false
pulldown_type = true

[csv]
NO_BINARY_CHECK = true
disabled = false

[CSV_Upload]
SHOULD_LINEMERGE = false

[test_file]
BREAK_ONLY_BEFORE=goblygook
MAX_EVENTS=200000
DATETIME_CONFIG = NONE
CHECK_METHOD = modtime
pulldown_type = true
LEARN_MODEL = false              
0 Karma

sundareshr
Legend

what sourcetype did you use. can you try and delete and recreate and this time, set the permission to app specific and give users read permissions and admin write permissions.

0 Karma

raby1996
Path Finder

Ok I checked, and sharing is set to global, and every user role has read and write permissions. the preview from ifx shows that the extraction is working, but when I save it, it no longer works, I.E. it doesn't appear as an extracted field unless I use the rex command to manually extract it, again thank you for helping.

0 Karma

woodcock
Esteemed Legend

Show us your props.conf and transforms.conf files. If you set it to global, then these should be in $SPLUNK_HOME/etc/system/local/

0 Karma

raby1996
Path Finder

Yes in the panel where interesting fields appear, I apologize for not being clear about that. I tried your command and it does not work, also this field appears in 100% of the events, I verified my pattern before using the extraction tool ,and it did seem to pick up on all of them. I was thinking if it might be the fact that I'm using a rex field command, and not rex?

0 Karma

sundareshr
Legend

Next thing to check is permissions.

If you go to the menu Settings->Fields->Field Extractions and then select your app context to find your extraction, you'll most likely need to enable permissions on that field. And make sure the sourcetype matches with the sourcetype for the data.

Also verify your regex in ifx.

0 Karma

sundareshr
Legend

When you say it does not appear in fields, Are you referring to the panel on the left where all the interesting fields are listed? The fields listed there are ones that appear in more than 20% of the events. Have you tried the newly created field in search, like | table _time Machine_Model. Does it show up there?

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...