Why us extracted field not shown in the search?

corti77 · ‎06-22-2022

Hi,

I went to the search of my own app I created a extracted field using the wizard. Once created, I go to Settings--> Fields extractions I can see the extracted field , type inline, assigned to my app , enabled and with permissions on the App for everyone read and write.

then I go to my app once again and I perform a simple query in verbose mode. To be sure I also click on All fields to be sure that all fields are actually shown

index=cisco sourcetype="cisco:esa:amp"

Unfortunately the extracted field does not show on the list.

any idea what I am missing?

many thanks

gcusello · ‎06-22-2022

Hi @corti77,

did you tried to extract that field using rex inside the search?

what does it happen if you run?

index=cisco sourcetype="cisco:esa:amp" your_field=*

Ciao.

Giuseppe

corti77 · ‎06-22-2022

yes, I did that to workaround the issue.

this works perfectly

index=cisco sourcetype="cisco:esa:amp" 
| rex field=_raw "Malware = (?<malware>.+?),"

gcusello · ‎06-22-2022

Hi @corti77,

if the field extraction runs with the rex command, you should see it also without rex.

what's the sourcetype associated to the field extraction that you can see? it should be "cisco:esa:amp".

Ciao.

Giuseppe

corti77 · ‎06-22-2022

it is cisco:esa:amp

isoutamo · ‎06-22-2022

Have you tested this e.g. with https://regex101.com ?

You events have this sourcetype and you probably are in this app (based on screenshot yes)?

r. Ismo

Why us extracted field not shown in the search?

field extraction

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

Why us extracted field not shown in the search?

field extraction

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers