I've seen similar questions to mine asked, but none of the advice has solved my issue.
I created a new field extraction (which correctly pulled the data in the 10,000 event sampling) and it shows up in the field extraction list under "Settings":
API Server Logs - 03-12 : EXTRACT-MW_ErrorMessage Inline (Error Code=").+>(?P<MW_ErrorMessage>[^<]+) mwalser search Private | Permissions Enabled
After creating the field extraction, I attempted to reload the search:
index="cisres_events" sourcetype="API Server Logs - 03-12" | extract reload=T
But the newly created extraction "MW_ErrorMessage" does not show up in the selectable list of "All Fields".
What else might be causing the field extraction to not show up in the list? I've attempted to rebuild this extraction several times with different naming conventions and even tried modifying the permissions to no avail. Any suggestions?
... View more