Solved: Why is the field I have extracted not shown and no...

WXY · ‎09-11-2018

I extracted three fields.

The data is \\VMMSNEWPALM2SER\Process(TIDC.Imports)\% Privileged Time, ,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0

I want to extract the VMMSNEWPALM2SER , Process(TIDC.Imports) and % Privileged Time

My rex is \\\\(?P<vm_h>\w+) , \w+\\\\(?P<v_fields>.*)\\\\ and ^[^\)\n]*\)\\(?P<vm_f>.*?),

But now, I can't use the v_fields to find the data, though I'm sure I've extracted it.

And, I can find the v_fields in the left fields sidebar.

why?

What should I do?

gcusello · ‎09-12-2018

Hi WXY,
try the following regex

index=v_index
| rex "\\\\(?<vm_h>[^\\]*)\\(?<v_fields>[^\\]*)\\(?<field_3>[^,]*)"
| table _time vm_h v_fields field_3

You can test it at https://regex101.com/r/xJredr/1

Bye.
Giuseppe

View solution in original post

DEAD_BEEF · ‎09-12-2018

It may not be in the left sidebar is there is not enough event coverage for it to populate there. Just something to keep in mind. Also I recommend switching to @cusello regex instead of yours.

gcusello · ‎09-12-2018

Hi WXY,
try the following regex

index=v_index
| rex "\\\\(?<vm_h>[^\\]*)\\(?<v_fields>[^\\]*)\\(?<field_3>[^,]*)"
| table _time vm_h v_fields field_3

You can test it at https://regex101.com/r/xJredr/1

Bye.
Giuseppe

Why is the field I have extracted not shown and not available for search?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

Why is the field I have extracted not shown and not available for search?

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions