Field Extraction

Abha · ‎05-15-2013

Hi
I extracted a couple of fields from my input data.
However, those fields are not showing on the Fields Sidebar. Though I can view them in the Manager>>Fields>>Field Extractions.
What do I do now?

wpreston · ‎05-16-2013

I'd recommend testing your field extractions using the rex command in a search before adding them to the extractions page. Just enter your search terms, followed by | rex "your regular expression field extraction". I usually also follow it with | stats values myFieldName just to make sure I pick up only the values I wanted and don't have to adjust my regex. So for instance, if I were extracting browser from a log, I might use the following search to test my field extraction:

your search terms | rex "userAgent=(?<browser>[^(]+)" | stats values browser

Abha · ‎05-16-2013

Well I simply created them using the web UI. Since I can only view them in Fields>> Field Extractions..dunno how I could test them..Any ideas?

Drainy · ‎05-15-2013

How did you create the field extracts and have you tested that they work anywhere?

rgcurry · ‎05-15-2013

I typically create my field extractions by editing the props.conf directly, but I'm a shell bigot. (8->) When ever I cannot see my fields defined in the Fields Sidebar, I realize that I have failed to create metadata for my fields. As you are using the Web UI, I am not certain what might be doing this for you. Do you have access to the file system? Check the metadata/local.meta file in your app's etc/apps directory and assert that it has permissions set for your fields.

Abha · ‎05-16-2013

Checked the local.meta file. Things seem to be in order there...

Field Extraction

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases