Hi --
I'm having some trouble with search-time field extractions that I've set up in the Splunk Manager. My tab-separated input data looks like:
12345 some_junk prefix789 morejunk
and I'm trying to extract the "789" portion into a field. My field extraction regex looks like:
^(?<req_id>[^t]*)\t[^\t]+\tprefix(?<some_id>[^\t]*)\t
This extraction does work, but I'm seeing some strange behavior when I use that some_id field as part of my search. For example, a search for:
sourcetype=mylog some_id=789
returns zero results. If I search for:
sourcetype=mylog some_id=*789
I get results. When I look at the field discovery panel and click on the some_id entry, it correctly shows 789 as the value of the some_id field (and not prefix789) in 100% of the results. If I do:
sourcetype=mylog | convert auto(some_id) | search some_id=789
I get results (same as the *789 search above). I checked the length of the extracted value for the some_id field:
sourcetype=mylog some_id=*789 | eval idlen=len(some_id)
which correctly shows 3.
So - my question is: why doesn't my original search for some_id=789 return any results, but my search for some_id=*789 does?
Is there a way to specify the convert auto() as part of the field extraction, so I don't have to include it in every search that uses some_id?
Thanks!
--Colin
... View more