Splunk Search

Why is my searchtime field not dispayed ?

Builder

I have define a new field extraction at searchtime. I don't know if there is any way to test it. For the moment I can't see the field at search time, on the left part of the screen.
Is it because it is no working properly, no match found, or do I have to do something else ?

It is defined as :
<vdv\d\d\d:(.*?)\s for a special source_type cusadapter

When I try to search through that
Type Extraction/Transform Owner App Sharing Status Actions
cusadapter : EXTRACT-vdvmessagetype Inline <vdv\d\d\d:(?)\s

cus
search
Private Enabled

What am I missing ?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Your search

sourcetype="adapter" | rex field=raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<messagetype>)s

does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.

An untested regex to extract the VDV message type might be

| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

Fields are displayed in the field list on the left side of the result page.
Make sure no to disable the automatic field extraction (on 4.2 by sliding the option, on 5.* by using the fast options)

or simply by adding at the end of the search | table myfield

0 Karma

Builder

Thank You for your answer..
I tried your regex, but there are no field dispayed on the left (by the other fields), when I'm trying the corrected regex. Where extracted fields are supposed to be diplayed ?

0 Karma

SplunkTrust
SplunkTrust

Your search

sourcetype="adapter" | rex field=raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<messagetype>)s

does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.

An untested regex to extract the VDV message type might be

| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"

View solution in original post

0 Karma

Builder

I've tried in a perl rex test, with my logfile, but in the search, I have no field displayed but also no error message, Here is what I tried :

sourcetype="adapter" | rex field=raw <vdv\d\d\d:(?<messagetype>)\s

and here is what I tried to extract :
[2012-11-12 07:54:49,568] INFO technical.http.ans.app.vdv.util.http.VdvHttpLogger createLogEntry - IN --> otv ans DatenAbrufenAntwort ok /10.104.180.7:2800 <?xml version="1.0" encoding="ISO-8859-1"?><vdv453:DatenAbrufenAntwort xmlns:xsi="

0 Karma

Motivator

Have you tried an inline rex command in your search string to check and see if your getting matches first?

0 Karma