Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

real-time search and field extraction/transformation

alexiri
Communicator
‎05-20-2011 07:59 AM

I used to have an index-time field extraction on one of my source types in order to get the error code of the message. I also had a real-time alert on that field, something like "error=ANR1234E". This worked quite nicely, whenever that particular error came up the alert action was triggered.

I've just converted this field extraction to a search-time one, as I've been told that there is no longer a performance benefit and this way its more flexible. Now, my real-time alert no longer works.

Reading the documentation on real-time alerts I see why: they're triggered before index-time. The question is, why, then, did it work when I was doing an index-time field extraction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-20-2011 09:10 AM

You are correct in that real-time searches grab the data before it hits the index queue, however real-time searches do have access to search time field extractions which happen in the parsing queue.

Can you successfully search for "error=ANR1234E" via non RT search. This would rule out the field extraction as the culprit?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

alexiri
Communicator
‎05-20-2011 09:54 AM

You are totally correct, I couldn't. I had the extractions defined in props.conf as EXTRACT-, changing this to REPORT- made it work correctly again. Thanks for pointing me in the right direction!

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-20-2011 09:10 AM

You are correct in that real-time searches grab the data before it hits the index queue, however real-time searches do have access to search time field extractions which happen in the parsing queue.

Can you successfully search for "error=ANR1234E" via non RT search. This would rule out the field extraction as the culprit?

0 Karma
Reply
Solved! Jump to solution

alexiri
Communicator
‎05-20-2011 08:42 AM

I did, it's "error=ANR1234E".

Regardless, the question isn't about a particular search that isn't working. The question is, how is it possible that a real-time search based on an index-time field extraction actually works, given that the real-time search supposedly runs before the event is indexed?

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎05-20-2011 08:37 AM

It would help if you paste your exact search.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...