Splunk Enterprise

Field Extraction when text have %%01 and others Symbols The search of the value Doesn't work

israelgutierrez
Path Finder

Hi

I have a log like this

Mar 10 20:19:39 10.18.10.11 Mar 10 2016 20:18:07 HIPDR-M909-X8-CA %%01SHELL/5/CMDRECORD(s)[37105]:Recorded command information. (Task=VT1, Ip=10.2.11.10, VpnName=O_G, User=65w, AuthenticationMethod="Local-user", Command="ping -c 100 -vpn-instance DAT 1.23.30")

I have a Field extraction in search mode:

sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?<sig>\w+\/\d+\/\w+)\("

So if I want to search like this

sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?<sig>\w+\/\d+\/\w+)\("| search sig="SHELL/5/CMDRECORD"

Works like charm

But if I save the extraction in Fields Extractions, all the permissions are global, we restart splunk several times and do the extract reload=true

So when I do the search:

sourcetype="huawei" sig="SHELL/5/CMDRECORD"

Shows 0 Results

Any Idea what could be happening?

Tags (1)
0 Karma
1 Solution

acharlieh
Influencer

Your extraction starts with a partial token, which requires an extra edit in fields.conf to work. See the docs: http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...

The reason why gets into how segmentation and searching work... in basic terms, at index time, Splunk breaks up your events into words based on punctuation and keeps track of what buckets of data have what words. It then converts your search into words that should appear if your search matches data. If not all words are present for a big bucket of data, that bucket could be tossed prior to Splunk extracting parts of words to see that your search actually does match. (without the fields config, which says essentially your field will not appear as indexed words)

I would guess that in your current configuration that this search might actually work without fixing fields.conf:

sourcetype="huawei" sig=* | search sig="SHELL/5/CMDRECORD"

View solution in original post

acharlieh
Influencer

Your extraction starts with a partial token, which requires an extra edit in fields.conf to work. See the docs: http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...

The reason why gets into how segmentation and searching work... in basic terms, at index time, Splunk breaks up your events into words based on punctuation and keeps track of what buckets of data have what words. It then converts your search into words that should appear if your search matches data. If not all words are present for a big bucket of data, that bucket could be tossed prior to Splunk extracting parts of words to see that your search actually does match. (without the fields config, which says essentially your field will not appear as indexed words)

I would guess that in your current configuration that this search might actually work without fixing fields.conf:

sourcetype="huawei" sig=* | search sig="SHELL/5/CMDRECORD"

israelgutierrez
Path Finder

Thanks

The creation in fields.conf the stanza

[sig]
INDEXED = False
INDEXED_VALUE = False

Solve the be behavior

And now work searches like:
sourcetype="huawei" sig=SNMP

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...