Bug in interactive field extractor (IFX)?

kristian_kolb · ‎05-22-2012

There seems to be a bug in the interactive field extractor regarding the naming of fields. If copy-pasting a regex (crafted through rex perhaps), where the field name contains a hyphen (minus/dash/-) instead of the the default placeholder <FIELDNAME>, there will be an error when you hit 'save' ("Illegal character in field name" or something like that).

However, there is nothing stopping you from saving a field extraction which has the default <FIELDNAME> placeholder in the regex, and where the name entered in the 'save' dialog box contains hyphens. The save goes through, but the field never shows up in searches.

Couldn't the same error checking be applied here, since this is a more likely scenario than the copy/paste variant?

This was tested on Splunk 4.3.1 (win-64), and neither the Changelog nor Known Issues for 4.3.2 mention this.

Best regards,

Kristian

webboy · ‎05-22-2012

Thanks for submitting this issue Kristian. I just wanted to add that I originally found this problem on Ubuntu Server 12.04 LTS 64 bit.

I think it was a sort of happy accident that I discovered this after trying your suggestion to help fix my non-working extraction.

The reality is that this is probably happening to a lot of people. I wouldn't think that using the IFX tool and naming extractions with hyphens is terribly uncommon.

Regards,

-Dan

Bug in interactive field extractor (IFX)?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms