Hi All,
Am getting undefined fields in splunk, since all my conf files are configured correctly. If am searching the logs with less than 15 min am getting the fields correctly, but if the search period is more than 15min all my fields state are undefined. What would be the issue could you please help me find solution and fix.
Thanks!
Hi
We have the same phenomenon too.
One single event messes up all fields. If searched without that event, everything works great. As soon as the specific event is loaded, the following happens:
However, analysing the data still works. So a | stats count by
shows data and count with proper values, even with the evil event!
This happened to me for the very first and only time. When comparing the two events, I don't see any differences in the pattern.
I'm sorry but I'm not allowed to share the events because of data privacy reasons.
I still hope this might help for further investigation.
Could you provide some sample results were it went correctly and incorrectly?
Below are example logs
Logs are undefined fields:
10/28/2014 06:28:50 -0700 - AUTHZ_SUCCESS - GET - hostname/group/reports/-/consumer/WSRP_10132_332e2c30_0bb44ddba59baef8c2c8226f/normal/view/cacheLevelPage/WDJOMWMzUnZiVkpsY0c5eWRITlFiM0owYkdWMFgxZEJVbDlwWTJWd2IzSjBZV3hmZDNOeWNEMHg*?p_p_lifecycle=2&p_p_resource_id=getReportList&p_p_col_id=column-3&p_p_col_count=1&_WSRP_10132_332e2c300bb44ddba59baef8c2c8226f_wsrp-resourceCacheability=cacheLevelPage&undefined=undefined&=1414474130364 - uid=xyz,ou=users,ou=people,dc=xyz,dc=com - 06:28:50 - http - xyz_webgate - - 2uid=qatest110781@zys.com
Logs are defined and correct fields
0/28/2014 07:24:39 -0700 - AUTHZ_SUCCESS - GET - HOSTNAME- x.x.x.x - www.xyz.com/autologin - uid=stefanlay@xyz.com ,ou=customers,ou=people,dc=xyz,dc=com - 07:24:39 - http - xyz - - 2uid=stefanlay@xyz.com