Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Save Button Grayed Out When Editing Regex (Field E...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to extract a new field from an event using regex in Splunk 6.5. I've progressed through the "Extract a New Field" walk through to a point where I have chosen to edit my own regex, however the "Save" button is grayed out, and I cannot progress.
My regex is fairly simple, and when I preview the results, it's 100% success against the sample events:
My simple regex = User: "\w+"
Can anyone tell me how to save my new field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need at least one capturing group in your regex. Like this: User: "(?<user>\w+)" - this will extract a field named user from the quotes after "User: " prefix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try some of the following:
1) Unchecking the "Original search included" option, see if it allows you to select.
2) If above does not work , Open the View in Search to check wither results are returned. Try increasing the date range.
3) If everything else fails you can manually create Field Extractions through Settings> Fields using the regex or Directly in the props.conf for your sourcetype.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think you need at least one capturing group in your regex. Like this: User: "(?<user>\w+)" - this will extract a field named user from the quotes after "User: " prefix.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome! This worked like a charm.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
