in search, w/ rex command I can specify which field I want to apply the Regex as following example
| rex field=event "My Custom regex...."
But if I want to register the same regex in Field Extraction option (to have it reusable object w/ my team) I don't see any option to specify the field. I assume it register it to entire _raw as default.
Any idea if I can specify the field when I create a Field with "Field Extraction" ?
Can you save it as a macro that your team can reuse?
We're planning to have custom fields so people can directly search by those fields. Field Extraction works well only concern of mine is not able to specify the fields which can cause performance difficulties.
I assume there is a difference between parsing from only the event versus from entire _raw.
Also, I don't want to force developers to use back tick character for macro(s).
Hi @Rabbit,
yes, putting a regex in field extractor it search in all _raw,
but you can limit the search to an already extracted field (the same thing of field=event in rex command) adding "in event" (without quotes obviously) at the end of the expression, in other words, please try to put this expression in field extractor:
My Custom regex.... in event
Ciao.
Giuseppe
Thanks for the quick reply
But queries return nothing if in event part is added at the end of the line, after removing it they start working again.
btw, I tried to put entire Regex in quotes then in event part (as u can see in screenshot), and w/o quotes but nothing changed.
Hi @Rabbit,
could you share your regex and a sample of your logs?
I used many times "in fieldname" in my field extraction.
Ciao.
Giuseppe