Splunk Search

Is there a way to disable a field extraction within a search, so that a different field extraction can be performed instead?

Communicator

Hi,

I have two different field extractions that i need to use. The 1st one is used all the time for my system and I've used a REX to extract this automatically.

However I've got another REX which is similar but slightly different and when i try to use this inline with a search the results get messed up due to the 1st one running in the background.

Is there a way of telling this specifically search not to perform the field extraction for the 1st one?

Thanks

0 Karma

Communicator

go to setting ---> fields ---> fields extraction and delete your old extraction in UI

0 Karma

SplunkTrust
SplunkTrust
 | rex match_match=0 "(?<allParts>\w\d{4})" | makemv allParts | rex field=allParts "(?<part>\w\d{4})"

If this doesn't work, then please provide your existing searches, extractions, etc.

0 Karma

SplunkTrust
SplunkTrust

There shouldn't be any conflict between the rex commands. If you're using the IFX (interactive field extractor), however, I've seen it not allow you to extract from where fields are already extracted.

Can you share your rex commands please?

I assume one is actually a EXTRACT or TRANSFORM or REPORT (aka auto extraction), and the other is a rex command in the search. Can you please share all of them and how you're extracting each? Also sample data will speed the solution as well.

0 Karma

Communicator

The data looks like this (sorry I've had to obscure the exact data)

1.1 vendor X4010 (mahyts4)
1.2 vendor X4010 (Failed)
1.3 vendor X4017 (dokdok4)

The 1st REX looks for the part number (X4010) where there is a "Failed" part.
The 2nd REX looks for a list of all Part numbers (X4010 & X4017)

So the problem happens when i'm trying to run a complete list of Part numbers, but the 1st rex always populates my search as it's happening in the background.

0 Karma

SplunkTrust
SplunkTrust

Are you using the same names in both field extractions? That could be your conflict.

0 Karma

Communicator

Naa different names.

0 Karma