Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I not getting results running a search on an extracted field?

gcusello
SplunkTrust
SplunkTrust
‎04-14-2016 01:56 AM

Hi at all,

I have a very strange behavior in one of my searches:

  • I extracted a field from a raw as a part of a word: 2016-04-13 12.12.45 ZZ1234567890123456789 and I need to take only the first 8 letters after the date ZZ123456;
  • I use the following regex ^.{20}(?\w{8}). It runs and I can extract my field and show it in my tables.

The problem is when I want to search using my field because if i write:

  index=xxx sourcetype=xxx Myfield="ZZ123456"

I don't get any results.

If I instead write:

  index=xxx sourcetype=xxx | search Myfield="ZZ123456"

I find the correct log.

The problem seems to be in the field extraction because if I extract the full string ^.{20}(?\w{21}), the search runs in both the situations, but if I want to use only a part of it, the search doesn't run.

Now I'm modifying all my searches, but it's a long job that I'd like to avoid.

Anyone has an idea of how to intervene?

Thank you in advance.

Bye.

Giuseppe

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

twinspop
Influencer
‎04-14-2016 07:53 AM

See this blog post for a good explanation on why this happens.

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

View solution in original post

Reply
Solved! Jump to solution
Solution

twinspop
Influencer
‎04-14-2016 07:53 AM

See this blog post for a good explanation on why this happens.

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

Reply
Solved! Jump to solution

meenal901
Communicator
‎04-14-2016 05:19 AM

Hi Giussepe,

Your field extraction looks good. When you extract using 21 characters and run the search "index=xxx sourcetype=xxx", do you already have a field called "Myfield" in the interesting fields list? If yes, then it means your extraction is already saved in the props.conf of the search head.
If not, then this is a weird case of rex 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...