I've created an extracted field using the field extractor GUI in Splunk Seb. When I created it, there were two values for that field. Now that further logs have been processed, there is a new value for that extracted field.
The issue is that the new value does not appear in the field summary, only the previous two values show up. Also, searches for where the extracted field equals the new value do not return any results. But when I search for the new value as just text, the results are actually there.
Specifically, this is extracting the log message type (INFO,WARN,FATAL) from a custom application we've built. The regular expression generated by the field extractor GUI is: ^[^\[\n]*\[(?P<Event_type>\w+) which is meant to match the tag inside of the brackets from logs that look like this:
2016-12-14 01:02:03 [INFO] Process started.
2016-12-14 01:03:04 [WARN] Some error has happened.
2016-12-14 01:03:44 [INFO] Reticulating splines.
2016-12-14 01:04:05 [FATAL] Process failed!
You can see here that the extracted field is working for two values:
I've even tried to use the field extractor GUI again on one of the results that does have the new value for this field. But it shows that it is already recognized as the extracted field I created:
So why is the new value not appearing in the summary or able to be searched directly using the extracted field?
... View more