Splunk Search

I added a field to all my events so I could search for specific results, but why can't Splunk read the custom field values?

muellernc
Engager

I added a field cluster to all my events, so that I can search for results in a Hadoop cluster specified. I edited inputs.conf on each node for example with

[default]
_meta = cluster::Test8

and fields.conf with

[cluster]
INDEXED=true

The cluster information is displayed fine in Splunk Search:
alt text

If I try to search for a specific cluster, however, I get no results:
alt text

When I search for cluster=*Test8, the search works fine again. When I try to plot data (CPU_Load) with timechart and plot it by cluster, it messes up the diagram because it doesn't show any data points.

Thanks for your help!

0 Karma

jkat54
SplunkTrust
SplunkTrust

Try this instead:

[cluster]
INDEXED = true
INDEXED_VALUE = false

As per inputs.conf document:

INDEXED_VALUE = [true|false|<sed-cmd>|<simple-substitution-string>]
* Set this to true if the value is in the raw text of the event.  
* Set this to false if the value is not in the raw text of the event.
* Setting this to true expands any search for key=value into a search of value AND key=value 
(since value is indexed).
....
* Defaults to true.

Another approach is to change your search to this maybe?:

source="/etc/bmw.hadoop/log/cluster/performance.log" Test8

Final suggestion: Use Tags, Sourcetypes, or even lookups to identify the cluster instead of this meta jazz. Right now you're setting EVERY event to have this meta, and the docs warn against this unless absolutely required.

0 Karma

vinceskahan
Path Finder

Do you have an example of how to use a tag to do this on the forwarder from the shell only ? I can't find any reference of what to edit where on the universal forwarder client hosts (we deploy with puppet, so no gui there) and what if anything (hoping nothing) we need to edit (and where) on the indexer or search head boxes.....

0 Karma

jkat54
SplunkTrust
SplunkTrust

Can you just give the performance.log input a sourcetype of HADOOP_CLUSTER_TEST8 instead of messing around with _meta?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...