Inconsequent field extraction behavior: works when...

jmartens · ‎10-04-2017

I have defined a field extraction that seems to properly extract fields:

EXTRACT-KVSAxis = KV(?:Blade)*(?<KVSAxis>[XY][12]|Filter(?:Shape|Foil))

I am able to timechart that field as well, but I am unable to use it to drill down or use it a search.

The following queries do work:

... | table KVSAxis

which tables the field content for every event as expected

... | eval test=KVSAxis | where test="FilterShape"

which filters correctly on the field test and its content.

But when I drop the eval and query the field directly this does not work:

... | where KVSAxis="FilterShape"

Any clue how I can get my latest search to work as expected and filter on the KVSAxis field?

DalJeanis · ‎10-06-2017

@jmartens - Ah. Dashboard. You had not mentioned that. Try this...

| search KVSAxis=\"FilterShape\"

jmartens · ‎10-18-2017

Nope, searches do not work in dashboard as well as in Verbose search mode. Apart from that I am aware of escaping and AFAIK there is no use in escaping " using a backslash in XML as it should be ".

waechtler · ‎10-04-2017

what is your setting of "Search Mode" ?
If "Fast Mode", splunk may ignore fields that are not explicitly specified (as they are when you used "| eval test=KVSAxis")
Try "Verbose Mode" or add "| fields KVSAxis" to force extraction of this field

jmartens · ‎10-05-2017

Adding the | fields KVSAxis clause does not yield any improvement.

jmartens · ‎10-05-2017

Search is running in a dashboard, so I am not sure. Even if I run it in verbose mode in the search app, it does work as described and not as expected.

DalJeanis · ‎10-04-2017

@jmartens - Check this to see if we have any trailing space issues...

| eval test=KVSAxis 
| eval lentest=len(test) 
| eval lenKVSA=len(KVSAxis)

If the above are equal, then as exploratory information-seeking tools, try each of these and see what changes...

| search KVSAxis="FilterShape"
| search 'KVSAxis'="FilterShape"
| where "FilterShape"=KVSAxis
| where "FilterShape"='KVSAxis'
| where 'KVSAxis'="FilterShape"

jmartens · ‎10-05-2017

It does not seem to be a leading/trailing space issue as adding

| eval test=KVSAxis | eval lentest=len(test) | eval lenKVSA=len(KVSAxis) | table KVSAxis, lentest, lenKVSA

yields the same numbers for lentest and lenKVSA consequently, which matches with the actual length in characters of the string.

Your additional troubleshoot searches all yield the same results as my original, no events are displayed as soon as I add any of the filters.

If I look in the field list (using my original search) the desired events are present and the field seems to be extracted properly as it is in the list on the left hand side. I click on the field name I see the values extracted and the count of occurrences as can be seen in the following screenshot

niketn · ‎10-04-2017

@jmartens, what happens when you replace where with search

<YourBaseSearch> "*FilterShape*"
| search KVSAxis="FilterShape"

Can you add some sample events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

jmartens · ‎10-05-2017

That also gives the same result as my opening question, no events are listed when I add the search criteria.

Inconsequent field extraction behavior: works when eval'ed but not when used directly?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk