Solved: Save Button Grayed Out When Editing Regex (Field E...

jlemoine · ‎12-30-2016

I am trying to extract a new field from an event using regex in Splunk 6.5. I've progressed through the "Extract a New Field" walk through to a point where I have chosen to edit my own regex, however the "Save" button is grayed out, and I cannot progress.

My regex is fairly simple, and when I preview the results, it's 100% success against the sample events:

My simple regex = User: "\w+"

Can anyone tell me how to save my new field?

arkadyz1 · ‎12-30-2016

I think you need at least one capturing group in your regex. Like this: User: "(?<user>\w+)" - this will extract a field named user from the quotes after "User: " prefix.

View solution in original post

niketn · ‎12-30-2016

Try some of the following:
1) Unchecking the "Original search included" option, see if it allows you to select.
2) If above does not work , Open the View in Search to check wither results are returned. Try increasing the date range.
3) If everything else fails you can manually create Field Extractions through Settings> Fields using the regex or Directly in the props.conf for your sourcetype.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

arkadyz1 · ‎12-30-2016

I think you need at least one capturing group in your regex. Like this: User: "(?<user>\w+)" - this will extract a field named user from the quotes after "User: " prefix.

jlemoine · ‎01-04-2017

Awesome! This worked like a charm.

Save Button Grayed Out When Editing Regex (Field Extraction)

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation