- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Why am I unable to filter by any regex extracted f...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey folks, sup?
Can anyone tell me if this is something about software licensing or sorta?
I have just extracted like 3 or 4 fields using regex, data fixed position ".{20}", ".{10}"".
Fields seem to be extracted correctly, considering spaces.
But when I try to filter by any of these, no results are found.
If I used for example channel=* , I can see the channel table list.
But If I use like channel=ABC it doesn't work, but it's there...
What could cause this?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Worked fine....
Thanks a lot @woodcock !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you tried channel="ABC"?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you show the actual field extraction and the search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is an example of my data:
( it's a fixed position data )
20151022TX04100089450096950042E0000008301
20151022ZX04100016720099920072E0000001304
20151022FX04100012340099970056E0000004504
20151020CAAB2584 0067970056E0000009804
20151018CAAD2260 0409750103W0000000211
20151021CHAC1941 0356750001W0000002209
20151021CHAB1941 0023390098W0000002209
As it's a fixed position, I matched the regex like this: "\d+(?P.{12})"
And other cases, for example the letter wich stands for W=working E=error
I used ".{30}(?P.{1})"
I was able to extract these fields, but I'm unable to filter them, it only works with =*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeap, still shows "No results found."
Filters are "Preset: All Time" and "Smart Mode".
Although Verbose mode didn't work as well...
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
