Hi,
I went to the search of my own app I created a extracted field using the wizard. Once created, I go to Settings--> Fields extractions I can see the extracted field , type inline, assigned to my app , enabled and with permissions on the App for everyone read and write.
then I go to my app once again and I perform a simple query in verbose mode. To be sure I also click on All fields to be sure that all fields are actually shown
index=cisco sourcetype="cisco:esa:amp"
Unfortunately the extracted field does not show on the list.
any idea what I am missing?
many thanks
Hi @corti77,
did you tried to extract that field using rex inside the search?
what does it happen if you run?
index=cisco sourcetype="cisco:esa:amp" your_field=*
Ciao.
Giuseppe
yes, I did that to workaround the issue.
this works perfectly
index=cisco sourcetype="cisco:esa:amp"
| rex field=_raw "Malware = (?<malware>.+?),"
Hi @corti77,
if the field extraction runs with the rex command, you should see it also without rex.
what's the sourcetype associated to the field extraction that you can see? it should be "cisco:esa:amp".
Ciao.
Giuseppe
it is cisco:esa:amp
Have you tested this e.g. with https://regex101.com ?
You events have this sourcetype and you probably are in this app (based on screenshot yes)?
r. Ismo