Hello,
we have a logfile that contains key=value pairs.
Usually Splunks automatic field extraction is working fine and is showing the fields. But...when i want to do a search like e.g. this:
source="/var/opt/tomcat/logs/san.log" tag="*"
Splunk tells me, that the field "tag" doesn´t exist.
But when i use:
source="/var/opt/tomcat/logs/san.log" | search tag="whateverilookfor*"
i get the results as wished but also a message on top of the window saying:
Encountered an unexpected error while
parsing intentions.
What is happening here and how can i avoid this?
tag
is probably a reserved word, since it refers to tagging of information. See the Knowledge Manager section in the docs.
Maybe that only applies when it comes before the first pipe. However, I believe that
source="/var/opt/tomcat/logs/san.log" "tag=*"
would give you what you want, i.e. enclosing the statement in double quotes.
Hope this helps,
Kristian
tag
is probably a reserved word, since it refers to tagging of information. See the Knowledge Manager section in the docs.
Maybe that only applies when it comes before the first pipe. However, I believe that
source="/var/opt/tomcat/logs/san.log" "tag=*"
would give you what you want, i.e. enclosing the statement in double quotes.
Hope this helps,
Kristian
Thank you Kristian, that was exactly the problem. Tag is a reserved word, so it shouldn´t be used in the Logevent as a fieldname. We change the fieldname to ltag, now it is working. Best, Thomas