- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Wildcard search not working on splunk search bar.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try to search for hostname (ks75rhel) typing it in the search bar, I'm not getting any results. I tried the following ways...
ks75rhel
*ks75rhel*
ks75*
I did get results when I use host=ks75rhel, did anyone face this kind of issue...? Any help would be appreciated. Thanks..!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The host field is a metadata field and in most cases it's not logged in the raw data (generally taken as the server name of the forwarder). The method that you tried is text search and it checks only the raw data, and I guess no host name available in raw data, hence no result. And when you use host=ks75rhel, it will result as that will query the metadata field value. Hope it makes some sense.
Now, when you include the host field in your query, following will fine
host=ks75rhel
host=*ks75rhel*
host=ks75*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You may want to try search time extractions, something like (assuming, the literal uri=" shows up first time in the entire raw string).
rex=_raw "uri="(?[^"]+)"
If you can paste some sample data with different variations of the uri, might be able to provide a more cleaner regex expression
http://docs.splunk.com/Documentation/Splunk/6.2.3/SearchReference/Rex
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The host field is a metadata field and in most cases it's not logged in the raw data (generally taken as the server name of the forwarder). The method that you tried is text search and it checks only the raw data, and I guess no host name available in raw data, hence no result. And when you use host=ks75rhel, it will result as that will query the metadata field value. Hope it makes some sense.
Now, when you include the host field in your query, following will fine
host=ks75rhel
host=*ks75rhel*
host=ks75*
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It's not so much indexed vs. raw data, it's more like source event data vs. metadata. _time, host, source and sourcetype are some of the event metadata fields that Splunk assigns to each event based on YOUR configuration.
Only the raw event stream counts against your license.
We store metadata in files alongside the raw data (in journal.gz). Why would you want to tweak it and what do you want to tweak?
@3: Metadata exists alongside the raw data and will be kept current and accurate with it. If - say - the last event for host xyz ages out of the system, you won't find any references to it in metadata files either.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We store metadata in files alongside the raw data (in journal.gz). Why would you want to tweak it and what do you want to tweak?
wanted to know if i can change the hostname form ks75rhel to webserver01 or similar...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You'd need a lookup table to make that work which only can be used at search time, not when the host field is written. An automated lookup should be enough to adress your issue:
http://docs.splunk.com/Documentation/Splunk/6.3.2/Knowledge/Makeyourlookupautomatic
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sense... the raw data doesn't have a host field, i have few questions on this...
1.coming to the diff b/w indexed and raw data..? indexed data is the one which does key value pair extractions and license would be calculated based on the indexed data..?
2. how does splunk store the metadata(like host=ks75rhel)...? can we make any tweaks on this...?
3. does retention period applies for both indexed and raw data...?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A little confused, when you search for (ks75rhel) , do you have this entry in the logs (without braces?) or is it just a field/metadata of the actual field host? Can you post a sample log that has the host entry? Har to figure otherwise
Thanks,
Raghav
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have the sample log pasted when i search by host=ks75rhel, when i type in just ks75rhel it's blank in the output...
3/2/16 192.168.6.3 - - [02/Mar/2016:10:49:55 -0600] "GET /test.htm " 200 168 "-" "-" 0\2341
10:49:55.000 AM bytes = 168 clientip = 192.168.6.3 file = testing.htm host = ks75rhel index = rhelt0 method = GET response_ms = 2341 source = /opt/applications/web2/servers/ks_ncr/logs/access.20160302000000.log sourcetype = access_combined uri_path = /testing.htm
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
