- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Problem with extracted field
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem with extracted field
Hi,
I am not able to see extracted fields in "Interesting field list",however fields are visible in Manager.
What can be the problem ?
Thanks and Regards
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
below are my suggestion :
1st, check the permission and app of the field you defined , you must be in the same app as the field belongs to ( if you share to "App" but not to "global" )
2nd, click the "edit" icon on the upper right corner of "Interesting field list" , you can see all fields list
3rd, if you cannot find specific field that you defined before , may be the reason is there is no matched rule in your search result
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hi, 1st I have kept permisisons for all the extracted fields as global
2nd Its not showing extractes fields
3rd Its matching because i can use those fields in my query its working. i am not able to see it in "Interesting field list"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My guess is that either;
a) the regex for extracting the field is not matching any event in your search results. This is then the expected behaviour. The definition will always be visible in manager, but if no event matches the regex, then the field name will not show in the search app, as the field is not present in the events. Or perhaps your extraction regex is wrong and needs to be edited.
b) your field name contains a hyphen (dash/minus/-). That used to be a problem when you created fields, but maybe that has been fixed by now. If you created your field extraction through IFX, you didn't get an error message. Normally fields names shall only contain letters, numbers and underscores, and must start with a letter. If that is the issue, change the name of the field. (most likely in props.conf).
Hope this helps,
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
regex is proper i am able to use the fileds in query and i have given simple string names its not containing hyphen
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
