Splunk Search

FIELDNAME for field extraction test disappeared

klaurean
Engager

I have been trying to make a new field using IFX by making a search and selecting "extract fields" and then inputting the examples that I want, (I want a field for data like src=rcdn-vif41-19 and src=rtp1-vif17-15 and a separate field for data like src=rcdn9-dci04n-ucs02-b and src=alln01-dci04n-ucs01-a) and I tested the regex example it gave and it seemed to work fine, I just had to add the "FIELDNAME" field to the listed to be shown, as it said that I would have to in the Splunk documentation. Then I went back and saved the field as a name other than FIELDNAME and it worked fine. Now I am trying to make the second field of things like src=alln01-dci04n-ucs01-a and when I go to test the regex example it made, I cannot find the FIELDNAME field in the possible fields list. The test search is "index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P[^ ]+)\s+\d+:\d+:\d+:\d+\." | top 50 FIELDNAME" Could anyone tell me how to get the FIELDNAME field back?

Side note, I deleted the first field that I created because it actually wasn't what I wanted and tried to recreate it, and the same problem of FIELDNAME not showing up again in the regex test field list happened again.

If anyone could help me that would be great!

Tags (1)
0 Karma
1 Solution

lguinn2
Legend

Field names are case-sensitive. So in the following search

index=foo sourcetype="syslog" 
| head 10000 
| rex "(?i)(?P<fieldname>[^ ]+)\s+\d+:\d+:\d+:\d+\." 
| top 50 FIELDNAME

fieldname and FIELDNAME are not the same. I think the IFX uses FIELDNAME

So perhaps the following is what you want:

index=foo sourcetype="syslog" 
| head 10000 
| rex "(?i)(?P<FIELDNAME>[^ ]+)\s+\d+:\d+:\d+:\d+\." 
| top 50 FIELDNAME

View solution in original post

lguinn2
Legend

Field names are case-sensitive. So in the following search

index=foo sourcetype="syslog" 
| head 10000 
| rex "(?i)(?P<fieldname>[^ ]+)\s+\d+:\d+:\d+:\d+\." 
| top 50 FIELDNAME

fieldname and FIELDNAME are not the same. I think the IFX uses FIELDNAME

So perhaps the following is what you want:

index=foo sourcetype="syslog" 
| head 10000 
| rex "(?i)(?P<FIELDNAME>[^ ]+)\s+\d+:\d+:\d+:\d+\." 
| top 50 FIELDNAME

klaurean
Engager

FIELDNAME came back using your suggestion of just replacing the lowercase with the uppercase FIELDNAME. Thanks!

0 Karma

klaurean
Engager

I did not see that distinction. I will try to make the two fields again today and let you know how it goes.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...