Splunk Search

Why us extracted field not shown in the search?

corti77
Contributor

Hi,

I went to the search of my own app I created a extracted field using the wizard.  Once created, I go to Settings--> Fields extractions I can see the extracted field , type inline, assigned to my app , enabled and with permissions on the App for everyone read and write.

then I go to my app once again and I perform a simple query in verbose mode. To be sure I also click on All fields to be sure that all fields are actually shown 

 

index=cisco sourcetype="cisco:esa:amp"

 

Unfortunately the extracted field does not show on the list.

any idea what I am missing?

many thanks

 

fieldExtraction.pngfieldExtractionPermissiosn.png

selectfields.png

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @corti77,

did you tried to extract that field using rex inside the search?

what does it happen if you run?

index=cisco sourcetype="cisco:esa:amp" your_field=*

Ciao.

Giuseppe

0 Karma

corti77
Contributor

yes, I did that to workaround the issue.

this works perfectly

index=cisco sourcetype="cisco:esa:amp" 
| rex field=_raw "Malware = (?<malware>.+?)," 
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @corti77,

if the field extraction runs with the rex command, you should see it also without rex.

what's the sourcetype associated to the field extraction that you can see? it should be "cisco:esa:amp".

Ciao.

Giuseppe

0 Karma

corti77
Contributor

it is cisco:esa:amp 

Capture1.PNG

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Have you tested this e.g. with https://regex101.com ?

You events have this sourcetype and you probably are in this app (based on screenshot yes)?

r. Ismo

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...