I have defined a field extraction that seems to properly extract fields:
EXTRACT-KVSAxis = KV(?:Blade)*(?<KVSAxis>[XY][12]|Filter(?:Shape|Foil))
I am able to timechart that field as well, but I am unable to use it to drill down or use it a search.
The following queries do work:
... | table KVSAxis
which tables the field content for every event as expected
... | eval test=KVSAxis | where test="FilterShape"
which filters correctly on the field test and its content.
But when I drop the eval and query the field directly this does not work:
... | where KVSAxis="FilterShape"
Any clue how I can get my latest search to work as expected and filter on the KVSAxis field?
@jmartens - Ah. Dashboard. You had not mentioned that. Try this...
| search KVSAxis=\"FilterShape\"
Nope, searches do not work in dashboard as well as in Verbose search mode. Apart from that I am aware of escaping and AFAIK there is no use in escaping "
using a backslash in XML as it should be "
.
what is your setting of "Search Mode" ?
If "Fast Mode", splunk may ignore fields that are not explicitly specified (as they are when you used "| eval test=KVSAxis")
Try "Verbose Mode" or add "| fields KVSAxis" to force extraction of this field
Adding the | fields KVSAxis
clause does not yield any improvement.
Search is running in a dashboard, so I am not sure. Even if I run it in verbose mode in the search app, it does work as described and not as expected.
@jmartens - Check this to see if we have any trailing space issues...
| eval test=KVSAxis
| eval lentest=len(test)
| eval lenKVSA=len(KVSAxis)
If the above are equal, then as exploratory information-seeking tools, try each of these and see what changes...
| search KVSAxis="FilterShape"
| search 'KVSAxis'="FilterShape"
| where "FilterShape"=KVSAxis
| where "FilterShape"='KVSAxis'
| where 'KVSAxis'="FilterShape"
It does not seem to be a leading/trailing space issue as adding
| eval test=KVSAxis
| eval lentest=len(test)
| eval lenKVSA=len(KVSAxis) | table KVSAxis, lentest, lenKVSA
yields the same numbers for lentest
and lenKVSA
consequently, which matches with the actual length in characters of the string.
Your additional troubleshoot searches all yield the same results as my original, no events are displayed as soon as I add any of the filters.
If I look in the field list (using my original search) the desired events are present and the field seems to be extracted properly as it is in the list on the left hand side. I click on the field name I see the values extracted and the count of occurrences as can be seen in the following screenshot
@jmartens, what happens when you replace where
with search
<YourBaseSearch> "*FilterShape*"
| search KVSAxis="FilterShape"
Can you add some sample events?
That also gives the same result as my opening question, no events are listed when I add the search criteria.