- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extraction failure
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Extraction failure
This seems like a straight forward config can someone spot where it's going wrong. I am unable to extract the "aaa" field. The regex and extraction works correctly with the following search.
sourcetype=alerts | rex field=_raw "(?<aaa>.*\d{4}),"
Raw data (sourcetype alerts):
Wed Nov 21 09:47:41 EST 2012,CAM,Outer Door,Door State,Closed
Props.conf(/opt/splunk/etc/apps/myapp/local/):
[alerts]
KV_MODE=none
EXTRACT-door = (?<aaa>.*\d{4}),
Search:
sourcetype=alerts | extract reload=true
Thanks,
Thomas
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Found it.
App permission problem
http://splunk-base.splunk.com/answers/61063/simple-field-extractions-not-working-in-props
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What exactly are you trying to capture? Your regex (.*\d{4}) doesn't match anything except the timestamp.
Based on your props config, I will assume you are looking for the Door name.
rex field=_raw "\d{4},(?<whatever_cam_is>[^,]*),(?<door_name>[^,]*),"
should give you whatever field the CAM refers to, and the door_name of "Outer Door".
Have you considered using a transform?
props.conf
[alerts]
REPORT-doorcontrol = doorcontrolcsv
transforms.conf
[doorcontrolcsv]
DELIM = ","
FIELDS = "timestamp", "whatever", "door_name", "alert_type", "alert_value"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whoops. Thanks tprzelom. If this answers your question (albeit misspelled) please accept it. Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[doorcontrolcsv]
DELIM = ","
FIELDS = "timestamp", "whatever", "door_name", "alert_type", "alert_value"
There should be an S at the end of DELIMS, for anyone who comes across this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I removed the pipe to extract reload=T and am receiving the same results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your search should just be sourcetype=alerts. I believe the extract doesn't need to be there to pull searchtime extraction changes any more.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
props.conf:
[alerts]
REPORT-doorcontrol = doorcontrolcsv
transforms.conf:
[doorcontrolcsv]
DELIM = ","
FIELDS = "timestamp", "whatever", "door_name", "alert_type", "alert_value"
Search:
sourcetype=alerts | extract reload=T
I'm still not getting any field extractions.
I was just trying to get the extraction to work. I was going to build out the regex once I confirmed I could extract fields.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try removing KV_MODE=none
and issue
| extract reload=T
From the flashtimeline.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MUST_BREAK_AFTER =
MUST_NOT_BREAK_AFTER =
MUST_NOT_BREAK_BEFORE =
REPORT-doorcontrol = doorcontrolcsv
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = True
TRANSFORMS =
TRUNCATE = 10000
maxDist = 100
There was a bunch of lookups associated with ES in the output too, but I cut them out to save space/characters.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
[alerts]
ANNOTATE_PUNCT = True
BREAK_ONLY_BEFORE =
BREAK_ONLY_BEFORE_DATE = True
CHARSET = UTF-8
DATETIME_CONFIG = /etc/datetime.xml
HEADER_MODE =
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 256
MAX_TIMESTAMP_LOOKAHEAD = 128
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You should search through the output for the [alerts] stanza and see what configs it has.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Single SH/indexer deployment, that outputs a 3MB file because I have the Enterprise Security app installed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can we get a brief description on your architecture? Are you running a search head(s) with configured distributed peers? is there search head pooling involved? or is this just a one sh/indexer deployment? Also, if you could attach the output of the following command
./splunk cmd btool props list
That will help.
Additionally, make sure the field discovery button is turned to the on position.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still no extraction happening
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
