Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Is there a way to disable a field extraction within a search, so that a different field extraction can be performed instead?

arrowecssupport
Communicator
‎04-19-2017 03:32 AM

Hi,

I have two different field extractions that i need to use. The 1st one is used all the time for my system and I've used a REX to extract this automatically.

However I've got another REX which is similar but slightly different and when i try to use this inline with a search the results get messed up due to the 1st one running in the background.

Is there a way of telling this specifically search not to perform the field extraction for the 1st one?

Thanks

0 Karma
Reply

puneethgowda
Communicator
‎04-19-2017 04:31 AM

go to setting ---> fields ---> fields extraction and delete your old extraction in UI

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-19-2017 04:14 AM 
 | rex match_match=0 "(?<allParts>\w\d{4})" | makemv allParts | rex field=allParts "(?<part>\w\d{4})"

If this doesn't work, then please provide your existing searches, extractions, etc.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎04-19-2017 03:50 AM

There shouldn't be any conflict between the rex commands. If you're using the IFX (interactive field extractor), however, I've seen it not allow you to extract from where fields are already extracted.

Can you share your rex commands please?

I assume one is actually a EXTRACT or TRANSFORM or REPORT (aka auto extraction), and the other is a rex command in the search. Can you please share all of them and how you're extracting each? Also sample data will speed the solution as well.

0 Karma
Reply

arrowecssupport
Communicator
‎04-19-2017 03:56 AM

The data looks like this (sorry I've had to obscure the exact data)

1.1 vendor X4010 (mahyts4)
1.2 vendor X4010 (Failed)
1.3 vendor X4017 (dokdok4)

The 1st REX looks for the part number (X4010) where there is a "Failed" part.
The 2nd REX looks for a list of all Part numbers (X4010 & X4017)

So the problem happens when i'm trying to run a complete list of Part numbers, but the 1st rex always populates my search as it's happening in the background.

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎04-19-2017 04:08 AM

Are you using the same names in both field extractions? That could be your conflict.

0 Karma
Reply

arrowecssupport
Communicator
‎04-19-2017 05:01 AM

Naa different names.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...