Splunk Search

Why Sample Events returned from Interactive Field Extractor do not match my original events?

mark_chuman
Path Finder

Hopefully I can explain this one effectively.

I have a search that brings back 3 records. I then select the drop-down field in the leftmost column with an "i" over it. This expands the record and there are more options. There is an "Event Actions" drop-down. I select this and choose "Extract Fields". A new browser tab is opened and I should be able to type in a value in the "Example values for a field" window and click generate and the pattern should be identified in the records. The problem I have is that the Sample Events that are returned are nothing like the 3 records that I was presented with initially. Any insight into what may be happening is welcome.

Thanks!

Tags (2)
0 Karma

mark_chuman
Path Finder

I think I got it. The samples that are returned aren't the exact same, but are the same format so the regex should work fine. Thanks!

0 Karma

mark_chuman
Path Finder

Not sure at which step you are referring to. At what step in the attached document are you talking about? Thanks for the time on this one.

Thanks

Well, I don't have enough karma to upload (Thought we would get those with a Splunk license 🙂 Not sure how I can show you... I have to admit the karma thing is a bit cumbersome (to Splunk moderator).

0 Karma

somesoni2
SplunkTrust
SplunkTrust

This list is based on the event you selected from your search and the field restriction (restriction specified before first pipe'|') you specified.

0 Karma
Get Updates on the Splunk Community!

Index This | How many sides does a circle have?

February 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...