Splunk Search

Inconsequent field extraction behavior: works when eval'ed but not when used directly?

jmartens
Path Finder

I have defined a field extraction that seems to properly extract fields:

EXTRACT-KVSAxis = KV(?:Blade)*(?<KVSAxis>[XY][12]|Filter(?:Shape|Foil))

I am able to timechart that field as well, but I am unable to use it to drill down or use it a search.

The following queries do work:

  1. ... | table KVSAxis

which tables the field content for every event as expected

  1. ... | eval test=KVSAxis | where test="FilterShape"

which filters correctly on the field test and its content.

But when I drop the eval and query the field directly this does not work:

... | where KVSAxis="FilterShape"

Any clue how I can get my latest search to work as expected and filter on the KVSAxis field?

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@jmartens - Ah. Dashboard. You had not mentioned that. Try this...

| search KVSAxis=\"FilterShape\"

0 Karma

jmartens
Path Finder

Nope, searches do not work in dashboard as well as in Verbose search mode. Apart from that I am aware of escaping and AFAIK there is no use in escaping " using a backslash in XML as it should be &quot;.

0 Karma

waechtler
Path Finder

what is your setting of "Search Mode" ?
If "Fast Mode", splunk may ignore fields that are not explicitly specified (as they are when you used "| eval test=KVSAxis")
Try "Verbose Mode" or add "| fields KVSAxis" to force extraction of this field

0 Karma

jmartens
Path Finder

Adding the | fields KVSAxis clause does not yield any improvement.

0 Karma

jmartens
Path Finder

Search is running in a dashboard, so I am not sure. Even if I run it in verbose mode in the search app, it does work as described and not as expected.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

@jmartens - Check this to see if we have any trailing space issues...

| eval test=KVSAxis 
| eval lentest=len(test) 
| eval lenKVSA=len(KVSAxis) 

If the above are equal, then as exploratory information-seeking tools, try each of these and see what changes...

| search KVSAxis="FilterShape"
| search 'KVSAxis'="FilterShape"
| where "FilterShape"=KVSAxis
| where "FilterShape"='KVSAxis'
| where 'KVSAxis'="FilterShape"
0 Karma

jmartens
Path Finder

It does not seem to be a leading/trailing space issue as adding

| eval test=KVSAxis
| eval lentest=len(test)
| eval lenKVSA=len(KVSAxis) | table KVSAxis, lentest, lenKVSA

yields the same numbers for lentest and lenKVSA consequently, which matches with the actual length in characters of the string.

Your additional troubleshoot searches all yield the same results as my original, no events are displayed as soon as I add any of the filters.

If I look in the field list (using my original search) the desired events are present and the field seems to be extracted properly as it is in the list on the left hand side. I click on the field name I see the values extracted and the count of occurrences as can be seen in the following screenshot

alt text

0 Karma

niketn
Legend

@jmartens, what happens when you replace where with search

<YourBaseSearch> "*FilterShape*"
| search KVSAxis="FilterShape"

Can you add some sample events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

jmartens
Path Finder

That also gives the same result as my opening question, no events are listed when I add the search criteria.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...