Splunk Search

missing extraction fields

gersplunk
Engager

I've created field extractions in splunkcloud.com, but they don't appear.

Here are my extractions:

settings>fields>field extractions:  App: searching & reporting, config source: visible in app, Owner: sc_admin

journal : EXTRACT-destipInline"dest_ip\":\"(?P<destip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\”"
sc_admin
search
Global | Permissions

Enabled

object should appear: all apps

permissions: apps r/w, sc_admin r/w

 

journal : EXTRACT-srcipInline"src_ip\":\"(?P<srcip>[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\”"
sc_admin
search
App | PermissionsEnabled

object should appear: this app only (search)

permissions: sc_admin r/w

 

After Add data from a tar.gz file upload,

splunkcloud (login as sc_admin)>search>interesting fields: all fields:all fields doesn't include those fields.

What am I missing?

Btw, if I extract new fields with the same names it objects because they already exist.

Labels (2)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

As several people urged you, please post a complete sample of event, not screen cutouts.  You can sanitize the sample any way you like, but keep quotation marks, commas, curly brackets, square brackets in exact place.

Meanwhile, the cutouts give me enough info to determine that part of the event is JSON.  Here is an experiment for you.

| rex "^[^{]+(?<only_json>.+})"
| spath input=only_json

See if more fields gets out.

0 Karma

gersplunk
Engager

Nice trick @livehybrid , but no luck.
gersplunk_0-1741077796696.png

Here's the field extraction for dest_ip

gersplunk_1-1741078900284.png

You can see the preview says '1000 events'... and there's a "dest_ip" at bottom left.

then >Save, >Finish

gersplunk_2-1741079348843.png

>Explore the fields I just created in Search:

it has changed time range to last 24h, showing no Results; then I change to All Time

and get the usual result: no sign of my extraction field on the left, in the 105 more fields or in All fields, etc.

gersplunk_3-1741079559330.png

 

 

0 Karma

isoutamo
SplunkTrust
SplunkTrust

You should have raw data from source. Then do needed extraction or use spath if it’s json. Best option is ingest data into your test/dev environment (like your workstation) and when it works copy those into your SCP environment You could/should create app(s) for those KOs to manage those. 
As you have SCP in use, you could order dev/test license from splunk to use in your test environment.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Forget your extractions.  As the code snippet looks exactly like trying to use regex to extract from JSON.  Could you clarify whether the full raw event is in JSON? If it is, do not use regex.  If JSON is just part of event, the best option is to use extraction to extract the part that is JSON instead of directly extracting information fragment.

0 Karma

gersplunk
Engager

Thanks for the reply, @yuanliu. Sadly I don't know whether it's actually json; it might be. It's a college assignment, and we just know it's a bunch of data/logs in tar.gz. "src_ip" and the other one have never appeared automatically in interesting fields so far. Would you expect them to appear as their "natural names" if it was json or would I need to do something proactive?

Either way, why doesn't the extracted field appear?

0 Karma

livehybrid
SplunkTrust
SplunkTrust

Hi @gersplunk 

When you search for the data, do you have src_ip or dest_ip in the field list on the left?

You could also add | table *_ip to your search to see if src/dest IP is already an extracted field from the JSON.

If you can post a screenshot and/or sample data then it might help us to work to you getting to the bottom of this 🙂

Please let me know how you get on and consider adding karma to this or any other answer if it has helped.
Regards

Will

Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...