Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why am I unable to filter by any regex extracted field?

vtsguerrero
Contributor
‎10-26-2015 10:20 AM

Hey folks, sup?

Can anyone tell me if this is something about software licensing or sorta?
I have just extracted like 3 or 4 fields using regex, data fixed position ".{20}", ".{10}"".
Fields seem to be extracted correctly, considering spaces.
But when I try to filter by any of these, no results are found.
If I used for example channel=* , I can see the channel table list.
But If I use like channel=ABC it doesn't work, but it's there...

What could cause this?
Thanks in advance!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 10:52 AM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎10-26-2015 10:52 AM

You are probably running in to this well-known problem:

http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎10-26-2015 10:57 AM

Worked fine....
Thanks a lot @woodcock !

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-26-2015 10:32 AM

Have you tried channel="ABC"?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

lguinn2
Legend
‎10-26-2015 10:43 AM

Can you show the actual field extraction and the search?

0 Karma
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎10-26-2015 10:52 AM

This is an example of my data:
( it's a fixed position data )

20151022TX04100089450096950042E0000008301
20151022ZX04100016720099920072E0000001304
20151022FX04100012340099970056E0000004504
20151020CAAB2584    0067970056E0000009804
20151018CAAD2260    0409750103W0000000211
20151021CHAC1941    0356750001W0000002209
20151021CHAB1941    0023390098W0000002209

As it's a fixed position, I matched the regex like this: "\d+(?P.{12})"

And other cases, for example the letter wich stands for W=working E=error
I used ".{30}(?P.{1})"

I was able to extract these fields, but I'm unable to filter them, it only works with =*

0 Karma
Reply
Solved! Jump to solution

vtsguerrero
Contributor
‎10-26-2015 10:41 AM

Yeap, still shows "No results found."
Filters are "Preset: All Time" and "Smart Mode".
Although Verbose mode didn't work as well...

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...