I'm a newbie to Splunk, and I'm having difficulty with field definitions and searches.
My input data (from syslog) contains one field of a form such as ":ABC1234I:" which means component "ABC" generate log message ID 1234 at level I (info). This is parsed fairly easily using this REGEX:
(?i):(?P [A-Z][A-Z][A-Z])(?P [\d][\d][\d][\d])(?P [DWIEF]):
The search shows Logger, Logno, and Sev under "interesting fields" as expected, and shows the set of values found for each one. All this seems fine.
But when I select one of the values under "Logger", I get no matches, despite it already listing some 26,000+ hits for that particular value.
The search term in this instance is
sourcetype="syslog" Logger="CGP"
What am I doing wrong?
... View more