Splunk Search

Why is my searchtime field not dispayed ?

sbsbb
Builder

I have define a new field extraction at searchtime. I don't know if there is any way to test it. For the moment I can't see the field at search time, on the left part of the screen.
Is it because it is no working properly, no match found, or do I have to do something else ?

It is defined as :
<vdv\d\d\d:(.*?)\s for a special source_type cusadapter

When I try to search through that
Type Extraction/Transform Owner App Sharing Status Actions
cusadapter : EXTRACT-vdv_message_type Inline <vdv\d\d\d:(?)\s

cus
search
Private Enabled

What am I missing ?

0 Karma
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Your search

sourcetype="adapter" | rex field=_raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<message_type>)s

does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.

An untested regex to extract the VDV message type might be

| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"

View solution in original post

0 Karma

yannK
Splunk Employee
Splunk Employee

Fields are displayed in the field list on the left side of the result page.
Make sure no to disable the automatic field extraction (on 4.2 by sliding the option, on 5.* by using the fast options)

or simply by adding at the end of the search | table myfield

0 Karma

sbsbb
Builder

Thank You for your answer..
I tried your regex, but there are no field dispayed on the left (by the other fields), when I'm trying the corrected regex. Where extracted fields are supposed to be diplayed ?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Your search

sourcetype="adapter" | rex field=_raw <vdvklzzwxh:0000klzzwxh:0001klzzwxh:0002:(?<message_type>)s

does not capture any characters in the brackets for the field message_type. I'm not sure what your initial extraction does because it appears some characters were mangled in the post.

An untested regex to extract the VDV message type might be

| rex "<vdv(\d+):(?<message_type>[^\s>/]+)"

0 Karma

sbsbb
Builder

I've tried in a perl rex test, with my logfile, but in the search, I have no field displayed but also no error message, Here is what I tried :

sourcetype="adapter" | rex field=_raw )\s

and here is what I tried to extract :
[2012-11-12 07:54:49,568] INFO technical.http.ans.app.vdv.util.http.VdvHttpLogger createLogEntry - IN --> otv ans DatenAbrufenAntwort ok /10.104.180.7:2800 <?xml version="1.0" encoding="ISO-8859-1"?><vdv453:DatenAbrufenAntwort xmlns:xsi="

0 Karma

Lucas_K
Motivator

Have you tried an inline rex command in your search string to check and see if your getting matches first?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...