Hey folks, sup?
Can anyone tell me if this is something about software licensing or sorta?
I have just extracted like 3 or 4 fields using regex, data fixed position ".{20}", ".{10}"".
Fields seem to be extracted correctly, considering spaces.
But when I try to filter by any of these, no results are found.
If I used for example channel=* , I can see the channel table list.
But If I use like channel=ABC it doesn't work, but it's there...
What could cause this?
Thanks in advance!
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/
The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):
[MyField]
INDEXED_VALUE = false
Worked fine....
Thanks a lot @woodcock !
Have you tried channel="ABC"
?
Can you show the actual field extraction and the search?
This is an example of my data:
( it's a fixed position data )
20151022TX04100089450096950042E0000008301
20151022ZX04100016720099920072E0000001304
20151022FX04100012340099970056E0000004504
20151020CAAB2584 0067970056E0000009804
20151018CAAD2260 0409750103W0000000211
20151021CHAC1941 0356750001W0000002209
20151021CHAB1941 0023390098W0000002209
As it's a fixed position, I matched the regex like this: "\d+(?P.{12})"
And other cases, for example the letter wich stands for W=working E=error
I used ".{30}(?P.{1})"
I was able to extract these fields, but I'm unable to filter them, it only works with =*
Yeap, still shows "No results found."
Filters are "Preset: All Time" and "Smart Mode".
Although Verbose mode didn't work as well...