Hi,
I have the following data: (time x y word1 word2 )
20131116-162406.698 569 609 burbled his
20131116-162407.590 568 615 wood manxsome
20131116-162408.481 684 592 tumtum raths
20131116-162409.372 635 609 head his
20131116-162410.263 882 620 with tumtum
20131116-162411.154 489 608 sought took
20131116-162412.045 484 624 hand thought
20131116-162412.936 484 624 hand thought
20131116-162413.827 917 613 son long
20131116-162414.718 1162 552 wabe foe
20131116-162415.609 145 552 hand foe
20131116-162416.500 956 587 galumphing hand
20131116-162417.391 628 635 aflame head
...etc
splunk recognises the timestamp field but nothing else, so i am trying to identify the remaining fields, at search time, as Xpsn Ypsn prime sub
(nb. in the following regex epressions the '\' after each '(?<' is added to get this edit window to display properly and not in the splunk search line).
This works:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |top prime
This also works:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |table prime sub Xspn
However this does not work:
sourcetype=MouseTracker | rex (?<\Xpsn>\s\d+)+(?<\Ypsn>\s\d+)+(?<\prime>\s\w+)+(?<\sub>\s\w+) |search prime=hand |table prime sub
why? why cant search use the new fields when top, filter, table and others can??
This is not suitable:
sourcetype=MouseTracker hand | rex ... (etc) because it hits if 'hand' is first or second word.
sorry to be a ghastly newbie but this has me stumped.
... View more