Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is my searchtime field not dispayed ?

sbsbb
Builder
‎11-11-2012 04:07 AM

I have define a new field extraction at searchtime. I don't know if there is any way to test it. For the moment I can't see the field at search time, on the left part of the screen.
Is it because it is no working properly, no match found, or do I have to do something else ?

It is defined as :
<vdv\d\d\d:(.*?)\s for a special source_type cusadapter

When I try to search through that
Type Extraction/Transform Owner App Sharing Status Actions
cusadapter : EXTRACT-vdv_message_type Inline <vdv\d\d\d:(?)\s

cus
search
Private Enabled

What am I missing ?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-12-2012 12:07 AM

Your search

sourcetype="adapter" | rex field=_raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<message_type>)s

does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.

An untested regex to extract the VDV message type might be

| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

yannK
Splunk Employee
Splunk Employee
‎11-13-2012 07:39 AM

Fields are displayed in the field list on the left side of the result page.
Make sure no to disable the automatic field extraction (on 4.2 by sliding the option, on 5.* by using the fast options)

or simply by adding at the end of the search | table myfield

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎11-12-2012 11:25 PM

Thank You for your answer..
I tried your regex, but there are no field dispayed on the left (by the other fields), when I'm trying the corrected regex. Where extracted fields are supposed to be diplayed ?

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎11-12-2012 12:07 AM

Your search

sourcetype="adapter" | rex field=_raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<message_type>)s

does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.

An untested regex to extract the VDV message type might be

| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"

0 Karma
Reply
Solved! Jump to solution

sbsbb
Builder
‎11-11-2012 11:06 PM

I've tried in a perl rex test, with my logfile, but in the search, I have no field displayed but also no error message, Here is what I tried :

sourcetype="adapter" | rex field=_raw )\s

and here is what I tried to extract :
[2012-11-12 07:54:49,568] INFO technical.http.ans.app.vdv.util.http.VdvHttpLogger createLogEntry - IN --> otv ans DatenAbrufenAntwort ok /10.104.180.7:2800 <?xml version="1.0" encoding="ISO-8859-1"?><vdv453:DatenAbrufenAntwort xmlns:xsi="

0 Karma
Reply
Solved! Jump to solution

Lucas_K
Motivator
‎11-11-2012 01:16 PM

Have you tried an inline rex command in your search string to check and see if your getting matches first?

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...