![]() You must filter in search (by time or whatever) to get that event in the current area. The field will NOT show if the current set of data on the screen doesn't have it in the events.I changed the permissions at the OS level and it worked. Get the permissions correct, both on the field itself AND on the config files! For some reason, I would enter an extract field in teh GUI and no files were getting written.When I installed locally, I could watch when files changed and understand where I should be putting different configuration stuff. Using the cloud version is a bit tough because I didn't have access to the nf.I started using an app that helps me write the extractions (search in the app area) and that helped out a lot. The regex for an extracted field has to be perfect, or the field will not show.Thanks to everyone for responding, the answers definitely helped me eliminate things: writing it here for other newbies to reference. Well, I have figured out a few things last night that helped me understand why things sometimes don't show. What am I missing? It is probably something obvious, so please be gentle. I have adjusted the permissions (they are completely global and for every app) I have opened up the 'More Fields' area and it is not there even with the 'All fields' option at the top Isn't it supposed to just show up? How do I make use of this extracted field? Now, I go back the search area and I don't see this field anywhere. ![]() Trace : EXTRACT-mac_address Inline ()$ admin search Global | Permissions Enabled I created an Extract Field with this config: It automatically separated the date out and the rest of the stuff is in the 'Event' column. ![]() I loaded in the file and I see the indexed data. What I want to do is extract the MAC Address from this line and then create a bar graph showing when this line was recorded for a particular MAC Address. I have just started the online sandbox and am messing around with a log file from one of our applications (so it is a custom log file).Ī line in the log file looks like this: PresenceSensor: Sensor 00:00:CC:DD:00:00 rebooted I am really new to Splunk, but I have searched the questions here and don't seem to find an answer to my problem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |