Hello Splunkers,
I created a (index-time) field extraction with the following regex:
REGEX = ^\d+;\d{11}02(\d{5})\d{5}
This extracts a Number from a CSV-File and stores it in a field "fkennung". I see that the field is filled at index time
and its also in the fields list in splunk UI, filled with correct values. Lets say one of the numbers in that field is 51117.
If i do a wildcard search "fkennung=51*" the search returns the correct events, all numbers in "fkennung" starting with 51.
If id do a wildcard search "fkennung=511*" or a search with the vale "fkennung=51117" splunk doesnt return any results.
Even if i klick on a value at the field menu,the search doesnt return any results.
Any ideas ?
In addition to defining the props/transforms extraction, did you defined the field in fields.conf ?
see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
Try to add the following lines to fields.conf:
[fkennung]
INDEXED=true
In addition to defining the props/transforms extraction, did you defined the field in fields.conf ?
see http://docs.splunk.com/Documentation/Splunk/latest/Data/Configureindex-timefieldextraction
Try to add the following lines to fields.conf:
[fkennung]
INDEXED=true
....it works....just a typo in fields.conf,thank you Yann 🐵
btw, Hi Yann,i guess we met in London 🐵
indeed. Happy it worked 🙂
Yep,did that already 🐵