All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why are my fields not showing after using interactive field extractor?

ulrich_track
Path Finder
‎08-27-2014 04:23 AM

I want to extract fields from my log files. Therefore I used the interactive field extractor. A regex was created, I tested and stored it and gave permissions to the search app.

When I enter the search app, my field does not show up.

Even when I select the same sourcetype. The field occurs in 195 of 7000 events.

What did I miss?
Is there also any tutorial on how to use Splunk-specific Regexes (e.g. ?P and that stuff)

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ulrich_track
Path Finder
‎08-27-2014 04:52 AM

I just found the problem:
I named the FIELDNAME with a hyphen inside (Server-ID).
When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up.
If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

View solution in original post

Reply
Solved! Jump to solution

Runals
Motivator
‎08-27-2014 04:52 AM

I recommend using either of the following sites to test your regex. If you load a few example logs there you can see how well it matches.

http://regex101.com

http://www.regexr.com/v1

The other way is to pull your regex out of the transforms and pop it into your search ala

... | rex "<your regex>" | table <rex defined field> _raw

if wanted to get crazy you could do something like the following as it is usually the punctuation that throws of rex statements (maybe just mine =).

... | dedup punct | rex "<your regex>" | table <rex defined field> _raw

The other issue is one of permissions but that is a harder nut to crack.

0 Karma
Reply
Solved! Jump to solution
Solution

ulrich_track
Path Finder
‎08-27-2014 04:52 AM

I just found the problem:
I named the FIELDNAME with a hyphen inside (Server-ID).
When deleting the Field Extraction, creating it again but storing under a name without a hyphen (ServerID), it showed up.
If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

Reply
Solved! Jump to solution

ulrich_track
Path Finder
‎08-27-2014 04:51 AM

I just found the problem:

I named the FIELDNAME with a hyphen inside.
When deleting the Field Extraction, creating it again but storing under a name without a hyphen, it showed up.

If hyphens pose a problem to splunk, the programmers should send a warning message that hyphens are not allowed, shouldn't they?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎08-27-2014 04:28 AM

can you provide some sample events and the regex used?

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...