Solved: Save Button Grayed Out When Editing Regex (Field E...

jlemoine · ‎12-30-2016

I am trying to extract a new field from an event using regex in Splunk 6.5. I've progressed through the "Extract a New Field" walk through to a point where I have chosen to edit my own regex, however the "Save" button is grayed out, and I cannot progress.

My regex is fairly simple, and when I preview the results, it's 100% success against the sample events:

My simple regex = User: "\w+"

Can anyone tell me how to save my new field?

arkadyz1 · ‎12-30-2016

I think you need at least one capturing group in your regex. Like this: User: "(?<user>\w+)" - this will extract a field named user from the quotes after "User: " prefix.

View solution in original post

niketn · ‎12-30-2016

Try some of the following:
1) Unchecking the "Original search included" option, see if it allows you to select.
2) If above does not work , Open the View in Search to check wither results are returned. Try increasing the date range.
3) If everything else fails you can manually create Field Extractions through Settings> Fields using the regex or Directly in the props.conf for your sourcetype.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

arkadyz1 · ‎12-30-2016

I think you need at least one capturing group in your regex. Like this: User: "(?<user>\w+)" - this will extract a field named user from the quotes after "User: " prefix.

jlemoine · ‎01-04-2017

Awesome! This worked like a charm.

Save Button Grayed Out When Editing Regex (Field Extraction)

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!