- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Searches Using field extractions Issue
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The following searches' results contain events with the field, FUNCTIONAL_AREA_NAME="Minute Maid"
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)"
When I add FUNCTIONAL_AREA_NAME="Minute Maid" to the search above to narrow down. The search does not show any results at all.
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)" FUNCTIONAL_AREA_NAME="Minute Maid"
The search above shows no results but take out the field = minute maid and there are results with the minute maid field.
I have a field extraction pulling the _mm or _spmm to created the field, FUNC_AREA_ABR for functional area abbreviation and then I have anautomatic lookup table which takes FUNC_AREA_ABR and OUTPUTNEW FUNCTIONAL_AREA_NAME which is "Minute Maid"
Here is the field extraction: EXTRACT-FUNC_AREA_ABR = (?i)p(?P<FUNC_AREA_ABR>_\D+)This pull the _mm off of sap_mm01234 or _sp on sap_spmm1234.
Wy aren't the results showing? Please help. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Does this search work?
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)" FUNCTIONAL_AREA_NAME=* | search FUNCTIONAL_AREA_NAME="Minute Maid"
If so, the solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[FUNCTIONAL_AREA_NAME]
INDEXED_VALUE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
Does this search work?
index=ko_autosys sourcetype=autosys_applog_scheduler_events host="usatlb98" OR host="usatlb91" JOB_NAME="sap_*" eventtype=autosys_initiated_jobs System="SAP FILO(p08)" FUNCTIONAL_AREA_NAME=* | search FUNCTIONAL_AREA_NAME="Minute Maid"
If so, the solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[FUNCTIONAL_AREA_NAME]
INDEXED_VALUE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you!
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
