Splunk Search

Search does not pick up all matches

chaseleechun
Explorer

I have quite a number of occurence of "unsuccessful_login_count" in a txt file (file upload), e.g.

unsuccessful_login_count = 0 ...
unsuccessful_login_count = 0 ...
unsuccessful_login_count = 0 ...
unsuccessful_login_count = 2 ...
unsuccessful_login_count = 1 ...
unsuccessful_login_count = 28 ...
unsuccessful_login_count = 11 ...
unsuccessful_login_count = 0 ...

But the search only pick a few of those occurences. Can anyone help?

e.g. the "selected fields" will show

unsuccessful_login_count (n) (2)

When clicked, it will show values, e.g. "0" and "2" only. The rest of the values are not picked up.

I am using v4.1.6.

Tags (2)
0 Karma
1 Solution

Lowell
Super Champion

If your event's are not being broken properly, then that issue should be addressed first. Using SHOULD_LINEMERGE=False, in your props.conf file should be all you need to break these events into single line events. Keep in mind that only newly indexed events will be effected by this change, and only after you restart your splunkd on your indexer.

Per your comment, it looks like you have the following in your props.conf:

[out]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

If this isn't working, then perhaps your sourcetype isn't being assigned as "out"; or it's not happing at the right point in the process (which can happen, but isn't likely.) If you haven't done so already, I'd suggest setting up an explicit source-matching rule in your props file to force your log file to be assigned the sourcetype of "out", which can be done with something like this:

[source::.../path/to/log/myfile.out]
sourcetype = out


Tracking down props.conf issues can be pain, so I wrote up some stuff I found helpful. Check out this page:

http://answers.splunk.com/questions/4075/whats-the-best-way-to-track-down-props-conf-problems

View solution in original post

0 Karma

Lowell
Super Champion

If your event's are not being broken properly, then that issue should be addressed first. Using SHOULD_LINEMERGE=False, in your props.conf file should be all you need to break these events into single line events. Keep in mind that only newly indexed events will be effected by this change, and only after you restart your splunkd on your indexer.

Per your comment, it looks like you have the following in your props.conf:

[out]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)

If this isn't working, then perhaps your sourcetype isn't being assigned as "out"; or it's not happing at the right point in the process (which can happen, but isn't likely.) If you haven't done so already, I'd suggest setting up an explicit source-matching rule in your props file to force your log file to be assigned the sourcetype of "out", which can be done with something like this:

[source::.../path/to/log/myfile.out]
sourcetype = out


Tracking down props.conf issues can be pain, so I wrote up some stuff I found helpful. Check out this page:

http://answers.splunk.com/questions/4075/whats-the-best-way-to-track-down-props-conf-problems

0 Karma

chaseleechun
Explorer

I originally added the logfiles individually and assigned 'automatic' sourcetype. I tried again by adding the logfiles in a directory and specified a manual sourcetype. AND IT BREAKS CORRECTLY now.

I think the automatic sourcetype has some default breaks configured, which is why the events are breaking 'randomly'.

Anyways, thanks for your responses! Much appreciated.

0 Karma

chaseleechun
Explorer

This is the output from btool props list out. I removed the BREAK_ONLY_BEFORE and BREAK_ONLY_BEFORE_DATE, but still to no avail.

C:\Program Files\Splunk\bin>splunk cmd btool props list out
[out]
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = false
CHARSET = AUTO
DATETIME_CONFIG = \etc\datetime.xml
LEARN_SOURCETYPE = true
LINE_BREAKER = ([\r\n]+)
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 38
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
...

0 Karma

Paolo_Prigione
Builder

The field might not be taken as multivalued... Try to add this to props.conf

[out]
REPORT-output = unsuccessful_report

then, to transforms.conf

[unsuccessful_report]
REGEX = unsuccessful_login_count=(?<unsuccessful_login_count>\d+)
REPEAT_MATCH = true
MV_ADD = true

Good luck!

0 Karma

chaseleechun
Explorer

I managed to get it working by assigning a manual sourcetype. Thanks for your response anyways.

0 Karma

chaseleechun
Explorer

I tried putting this in the props.conf in my system\local, but still didn't work.

[out]
SHOULD_LINEMERGE = false
LINE_BREAKER=([\r\n]+)

0 Karma

chaseleechun
Explorer

I just found out that the search result is somehow broken up into 3 separate events, instead of grouping each of the 120 occurences as a individually separate event.

Then it somehow takes the first field (with value) encountered within the event and associates that event with that value.

One thing to note is that the text file is inconsistent, i.e. the logs may be ordered as such:
unsuccessful_login_count = 0
field1
field2
unsuccessful_login_count = 0
field1
unsuccessful_login_count = 0
field1
field2
field3
unsuccessful_login_count = 0
etc.etc.

Can anyone help?

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...