- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- FIELDNAME for field extraction test disappeared
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been trying to make a new field using IFX by making a search and selecting "extract fields" and then inputting the examples that I want, (I want a field for data like src=rcdn-vif41-19 and src=rtp1-vif17-15 and a separate field for data like src=rcdn9-dci04n-ucs02-b and src=alln01-dci04n-ucs01-a) and I tested the regex example it gave and it seemed to work fine, I just had to add the "FIELDNAME" field to the listed to be shown, as it said that I would have to in the Splunk documentation. Then I went back and saved the field as a name other than FIELDNAME and it worked fine. Now I am trying to make the second field of things like src=alln01-dci04n-ucs01-a and when I go to test the regex example it made, I cannot find the FIELDNAME field in the possible fields list. The test search is "index=foo sourcetype="syslog" | head 10000 | rex "(?i)(?P
Side note, I deleted the first field that I created because it actually wasn't what I wanted and tried to recreate it, and the same problem of FIELDNAME not showing up again in the regex test field list happened again.
If anyone could help me that would be great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field names are case-sensitive. So in the following search
index=foo sourcetype="syslog"
| head 10000
| rex "(?i)(?P<fieldname>[^ ]+)\s+\d+:\d+:\d+:\d+\."
| top 50 FIELDNAME
fieldname and FIELDNAME are not the same. I think the IFX uses FIELDNAME
So perhaps the following is what you want:
index=foo sourcetype="syslog"
| head 10000
| rex "(?i)(?P<FIELDNAME>[^ ]+)\s+\d+:\d+:\d+:\d+\."
| top 50 FIELDNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field names are case-sensitive. So in the following search
index=foo sourcetype="syslog"
| head 10000
| rex "(?i)(?P<fieldname>[^ ]+)\s+\d+:\d+:\d+:\d+\."
| top 50 FIELDNAME
fieldname and FIELDNAME are not the same. I think the IFX uses FIELDNAME
So perhaps the following is what you want:
index=foo sourcetype="syslog"
| head 10000
| rex "(?i)(?P<FIELDNAME>[^ ]+)\s+\d+:\d+:\d+:\d+\."
| top 50 FIELDNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
FIELDNAME came back using your suggestion of just replacing the lowercase with the uppercase FIELDNAME. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did not see that distinction. I will try to make the two fields again today and let you know how it goes.
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
