Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

field attaches too much data

seanlon11
Path Finder
‎04-20-2011 08:09 AM

The log entry is: 

2011-04-20 01:04:12,026 [DEBUG] com.company.ldap.SpringLdapDao.java(?) - **username=ahall** returned no groups, which probably means the user needs to be assigned groups by security
2011-04-19 18:06:49,424 [DEBUG] com.company.ldap.SpringLdapDao.java(?) - **username=frozndrk** returned no groups, which probably means the user needs to be assigned groups by security

I would expect to see a list of usernames with the simple values (e.g. ahall, frozndrk), but in reality, what I see for the username field is:

  • ahall returned no groups
  • frozndrk returned no groups

In some odd way, it is also grabbing data to the comma. I only want the username, and not the junk after it.

Why is this happening?

Thanks,
Sean

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-20-2011 08:42 AM

Is this a field extraction you've defined, or is Splunk auto-extracting it? It sounds like maybe you need to define a slightly different regex for this. Try this as a test, and see how it does with values for test_username.

returned no groups | rex "username=(?<test_username>.*) returned no groups"

You can add this to props.conf for your sourcetype using something like:

[mysourcetype]
EXTRACT-username = username=(?<username>.*) returned no groups

View solution in original post

Reply
Solved! Jump to solution
Solution

dwaddle
SplunkTrust
SplunkTrust
‎04-20-2011 08:42 AM

Is this a field extraction you've defined, or is Splunk auto-extracting it? It sounds like maybe you need to define a slightly different regex for this. Try this as a test, and see how it does with values for test_username.

returned no groups | rex "username=(?<test_username>.*) returned no groups"

You can add this to props.conf for your sourcetype using something like:

[mysourcetype]
EXTRACT-username = username=(?<username>.*) returned no groups
Reply
Solved! Jump to solution

dwaddle
SplunkTrust
SplunkTrust
‎04-20-2011 09:11 AM

It's hard to say for 100% sure without digging through your configuration. You could always add the above extraction to props.conf for your sourcetype. See update to answer...

0 Karma
Reply
Solved! Jump to solution

seanlon11
Path Finder
‎04-20-2011 08:55 AM

I have looked through my existing Field Extractions, and I do not see anything related to this particular username. So I think it appears to be Splunk making this extraction.

Using your inline extraction above retrieves the usernames as expected for the test_username field.

Any idea why Splunk would extract usernames wrong? What configuration can I check to ensure it is not something I have done?

Thanks,
Sean

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...