hi all,
I have an index with a custom field and an extract of my props.conf:
[source::/test/.../*_Splunk_Telemetry.(txt|log)]
sourcetype = script_windows_log
# Field extractors
EXTRACT-script_name = ^.*\/[0-9]*_(?P<script_name>.*)\.[a-z]{3}$ in source
when I launch generic search I have this result :
For example for script name: Microlise_Splunk_telemetry I have more than 2500 events (I stop the search before ending) and if I make a filter into the script_name field:
There are no results, why is that?
I try with "where" I am getting the same result, with quotes and simple quotes, same result.
Does anybody have any idea?
Thanks for your help.
Can you try index=windows_script_log
and then as per your 2nd Screenshot when you see Microlise_Splunk_telemetry
click on the Microlise_Splunk_telemetry
which will automatically filter out events for that script_name
thanks for your reply... i already test that.. same result... no event are displayed..
@fteyssandier, have you also tried the following to whether you get any results?
index=windows_script_log
| search script_name="Microlise_Splunk_Telemetry"
Also working with your raw data have you tried rex
to extract various script_name
?
If nothing works do you mind sharing raw events after masking/anonymizing any sensitive data?
hi,
thank for your answer...
if i try your query
index=windows_script_log
| search script_name="Microlise_Splunk_Telemetry"
i has no result.. 😞
if i try this query
index=windows_script_log | rex field=source "^.*\/[0-9]*_(?P<script_name>.*)\.[a-z]{3}$" | search script_name="Microlise_Splunk_Telemetry"
it work fine, strange...
with the same regex, into props.conf... the script_name are correctly extract... by when i m filter to this... no result, if i do the rex directly into the query, it work fine... this two method isn't the same think ?
i don't understand what is the different... for me the result must be the same...
Hi fteyssandier,
For one my use case as well, when I try to execute
index=event_type -> giving result
index=event_type | stats count by az -> giving list of results.
but when I execute index=event_type | search az="GC" not giving results.
After changing search query with your regex, that is workmen fine. Have you found why that is happening?
Please try whether this query work
index=windows_script_log | stats count by script_name
if yes then
index=windows_script_log "Microlise_Splunk_Telemetry"
this will return the result
thank for your reply.
for the query
index=windows_script_log | stats count by script_name
the result is correct, for script_name "Microlise_Splunk_Telemetry" there are (for my time period) 730 event.
when i try the second query
index=windows_script_log "Microlise_Splunk_Telemetry"
there are no result (for the same period of course ^^)