Splunk Search

Why am I not getting results running a search on an extracted field?

Esteemed Legend

Hi at all,

I have a very strange behavior in one of my searches:

  • I extracted a field from a raw as a part of a word: 2016-04-13 12.12.45 ZZ1234567890123456789 and I need to take only the first 8 letters after the date ZZ123456;
  • I use the following regex ^.{20}(?\w{8}). It runs and I can extract my field and show it in my tables.

The problem is when I want to search using my field because if i write:

  index=xxx sourcetype=xxx Myfield="ZZ123456"

I don't get any results.

If I instead write:

  index=xxx sourcetype=xxx | search Myfield="ZZ123456"

I find the correct log.

The problem seems to be in the field extraction because if I extract the full string ^.{20}(?\w{21}), the search runs in both the situations, but if I want to use only a part of it, the search doesn't run.

Now I'm modifying all my searches, but it's a long job that I'd like to avoid.

Anyone has an idea of how to intervene?

Thank you in advance.



0 Karma
1 Solution



See this blog post for a good explanation on why this happens.



Hi Giussepe,

Your field extraction looks good. When you extract using 21 characters and run the search "index=xxx sourcetype=xxx", do you already have a field called "Myfield" in the interesting fields list? If yes, then it means your extraction is already saved in the props.conf of the search head.
If not, then this is a weird case of rex 🙂

0 Karma
Get Updates on the Splunk Community!

Platform Highlights | November 2022 Newsletter

 November 2022 Skill Up on Splunk with our New Builder Tech Talk SeriesCan you build it? Yes you can! *play ...

Splunk Education - Fast Start Program!

Welcome to Splunk Education! Splunk training programs are designed to enable you to get started quickly and ...

Five Subtly Different Ways of Adding Manual Instrumentation in Java

You can find the code of this example on GitHub here. Please feel free to star the repository to keep in ...