Splunk Search

Why is extracted field not showing up in the results page?

rmalghan
Explorer

I have a search criteria with extraction, It seems to be extracting the value. But it's showing up in it's own column. 

 

 

index=moogsoft "Return from ServiceNow (" | rex "Return from ServiceNow \((?<delay>\d+) seconds\)"

 

 

In the results page, I am only seeing the timestamp, the event, the extracted delay variable below the event. How do I display so the delay shows up in it's own column next to the event.

 

 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @rmalghan,

let me understand: instead of the normal "List" view, you want a table with the following columns: timestamp, delay, events, is this correct?

If this is your need, you have to select "Table" instead of "List" (in the dropdown near Format).

This view displays only the fields you have in the "selected Fields" list, so you can choose the ones you like.

Ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @rmalghan,

let me understand: instead of the normal "List" view, you want a table with the following columns: timestamp, delay, events, is this correct?

If this is your need, you have to select "Table" instead of "List" (in the dropdown near Format).

This view displays only the fields you have in the "selected Fields" list, so you can choose the ones you like.

Ciao.

Giuseppe

rmalghan
Explorer

When I do that, yes I get the delay in a new column. But the event (raw log goes away). I see _time, delay and source columns. How do I include the actual full event. When I click "All Fields", don't see the option to select the event

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @rmalghan,

please try this:

your_search
| table _time delay _raw

Ciao.

Giuseppe

0 Karma

rmalghan
Explorer

IMG_7516.jpg

0 Karma

PickleRick
SplunkTrust
SplunkTrust

You can click on the "All fields" label on the left side of the screen and then add selected field(s) to the list of the interesting fields which will be displayed immediately below the raw event in the list view.

0 Karma
Get Updates on the Splunk Community!

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more with ITSI’s ...

Accelerate Service Onboarding, Decomposition, Troubleshooting - and more! Faster Time to ValueManaging and ...

New Release | Splunk Enterprise 9.3

Hi Splunky people! We are excited to share the newest updates in Splunk Enterprise 9.3!Admins and Analyst can ...

2024 Splunk Career Impact Survey | Earn a $20 gift card for participating!

Hear ye, hear ye! The time has come again for Splunk's annual Career Impact Survey!  We need your help by ...