- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why am I unable to filter by any regex extract...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey folks, sup?
Can anyone tell me if this is something about software licensing or sorta?
I have just extracted like 3 or 4 fields using regex, data fixed position ".{20}", ".{10}"".
Fields seem to be extracted correctly, considering spaces.
But when I try to filter by any of these, no results are found.
If I used for example channel=* , I can see the channel table list.
But If I use like channel=ABC it doesn't work, but it's there...
What could cause this?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked fine....
Thanks a lot @woodcock !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried channel="ABC"?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show the actual field extraction and the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an example of my data:
( it's a fixed position data )
20151022TX04100089450096950042E0000008301
20151022ZX04100016720099920072E0000001304
20151022FX04100012340099970056E0000004504
20151020CAAB2584 0067970056E0000009804
20151018CAAD2260 0409750103W0000000211
20151021CHAC1941 0356750001W0000002209
20151021CHAB1941 0023390098W0000002209
As it's a fixed position, I matched the regex like this: "\d+(?P.{12})"
And other cases, for example the letter wich stands for W=working E=error
I used ".{30}(?P.{1})"
I was able to extract these fields, but I'm unable to filter them, it only works with =*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeap, still shows "No results found."
Filters are "Preset: All Time" and "Smart Mode".
Although Verbose mode didn't work as well...
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
