Parse works, field extraction doesn't
I can successfully parse data with a search query, but putting the same query into a field extraction rule often doesn't show the parsed fields. Here's an example: _sourceCategory=networking/clearpass 1.2.3.4 | parse "Endpoint.Username=*#" as wifi_Username | parse "Endpoint.MAC-Address=*#" as wifi_MACaddress | parse "Endpoint.IP-Address=*#" as wifi_IPaddress When I put this into a search I can see the 3 new entries in the Display Fields list, populated with data. However, I added this exact info into a field extraction and when I just search for the IP address (or the sourceCategory and IP address) the fields don't display. Here's a screenshot of my field extraction rule. ![Capture]()
Any assistance would be appreciated.
-
Hey Brian, Your parse rule seems to be created correctly. Here's 2 things I can comment/suggest: -- Parse rules only act on new data being ingested, as the parsing happens at the time of ingestion (unlike parsing in the query which can parse previously ingested data), so if you wait for new data to ingest, you should see those parse fields. -- If not all log messages have wifi_Username, wifi_MACaddress and/or wifi_IPaddress, you should add the nodrop option to your parse statements so that those that do exist in the message do not get dropped. Hope this helps! Cheers, Mario
Please sign in to leave a comment.
Comments
2 comments