Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Field Value is not picking in search interface ??

rakesh_498115
Motivator
‎12-21-2012 05:12 AM

Hi..

I have created a field in splunk like this .

rex"_Arm(?[a-zA-Z]*)<?"

This Field was successfully created and display in the search results , when i use the top command
But when i use in the searchquery direclty the field with value , it is saying 0 results.

Wat could be the error .Its a strange behvaiour i am exprenceing in splunk after using it for more then 8 months.

My Query with top which is working .

sourectype="Mydata" | top Identifier

My Query with Identifier field which is not working .

sourcetype="Mydata" Identifier="Start" (Not working)

Actually Start, Stop , Resume are the values that come in the field Identifier. Can you pls help ..

My Sample log event ::

2012-12-2111:42:03.542NONEIPUB-OR_P3;JMS_ArmStartPEIINFOE2E.busTxnStage=NOT,E2E.compTxnName=P1,E2E.compTxnID=2hfyuwi494,E2E.from=IPUB-OR,E2E.to=MQREP,E2E.aborted=true,E2E.graphID=1.1.1,E2E.threadID=2hfyrk9v02,E2E.busProcType=notify,E2E.busProcOriginator=GS-SMARTS,E2E.threadID.1=:,E2E.busTxnType=MENNotifications,E2E.busTxnHdr=PCK002069,E2E.busTxnSys=GS-S_MENNotifica,E2E.busTxnLoc=UNKNOWN,E2E.busTxnUsr=wbrkadm,E2E.busTxnSeq=2hfyrk9uxpuuid:e55b1572-1c50-11e2-a5ac-0ae6bdb20000#uuid:fc4c0a04-1c58-11e2-a8e7-0ae6bdb20000-

whose linecount is 1 .

can you pls update !!

Tags (1)
0 Karma
Reply

Ayn
Legend
‎12-21-2012 07:44 AM

From what I read about your scenario it's very likely that you're affected by the issue that is covered and solved in this blog post: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

NOTE: The blog post says that this is resolved in newer releases but my own testing says otherwise...

Reply

Drainy
Champion
‎12-21-2012 05:19 AM

I'm slightly confused as neither of those searches actually have the rex command included, anyway. At a guess you aren't extracting the identifier before you try to search for it so maybe do something like;

sourcetype="Mydata" | rex"_Arm(?<identifier>[a-zA-Z]*)<?" | search identifier="Start" | top identifier

Remember that fieldnames are case sensitive so you need to use a little i as that is what you used in your rex command. This search now pulls all Mydata events, creates an identifier field where it can, filters the list down to just the events with the identifier start and then pulls the top.

0 Karma
Reply

rakesh_498115
Motivator
‎12-21-2012 07:08 AM

Still same problem ..

used my query likethis

sourcetype="Mydata" identifier="Start"

0 Karma
Reply

Drainy
Champion
‎12-21-2012 06:12 AM

so perhaps a regex of; \_Arm(?<identifier>[^\<]+)\<

0 Karma
Reply

Drainy
Champion
‎12-21-2012 05:41 AM

Could you paste some example log data? it sounds like the regex is pulling in some extra characters you can't see

0 Karma
Reply

rakesh_498115
Motivator
‎12-21-2012 05:37 AM

my eventdata linecount for single event is 1 . is that the problem ??

0 Karma
Reply

rakesh_498115
Motivator
‎12-21-2012 05:28 AM

No Actually i have created that field to my sourcetype using fields manager in field extractions...then its not working for me..when i use Identifier="*Start" it is working..

But not working when i use Identifier="Start" . Actually the value in the Identifier is Start only. i dont understand wats happening here..

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...