Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to filter by any regex extracted field?

vtsguerrero
Contributor
‎10-26-2015 10:20 AM

Hey folks, sup?

Can anyone tell me if this is something about software licensing or sorta?
I have just extracted like 3 or 4 fields using regex, data fixed position ".{20}", ".{10}"".
Fields seem to be extracted correctly, considering spaces.
But when I try to filter by any of these, no results are found.
If I used for example channel=* , I can see the channel table list.
But If I use like channel=ABC it doesn't work, but it's there...

What could cause this?
Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 10:52 AM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 10:52 AM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎10-26-2015 10:57 AM

Worked fine....
Thanks a lot @woodcock !

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2015 10:32 AM

Have you tried channel="ABC"?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎10-26-2015 10:43 AM

Can you show the actual field extraction and the search?

0 Karma
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎10-26-2015 10:52 AM

This is an example of my data:
( it's a fixed position data )

20151022TX04100089450096950042E0000008301
20151022ZX04100016720099920072E0000001304
20151022FX04100012340099970056E0000004504
20151020CAAB2584    0067970056E0000009804
20151018CAAD2260    0409750103W0000000211
20151021CHAC1941    0356750001W0000002209
20151021CHAB1941    0023390098W0000002209

As it's a fixed position, I matched the regex like this: "\d+(?P.{12})"

And other cases, for example the letter wich stands for W=working E=error
I used ".{30}(?P.{1})"

I was able to extract these fields, but I'm unable to filter them, it only works with =*

0 Karma
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎10-26-2015 10:41 AM

Yeap, still shows "No results found."
Filters are "Preset: All Time" and "Smart Mode".
Although Verbose mode didn't work as well...

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...