Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How come only one of many fields is not extracting?

shayhibah
Path Finder
‎10-23-2018 09:40 PM

I have a weird behavior in my environment.

When I get new data, I parse them using my regex (= as delimiter between key-value and | as delimiter between pairs).

In addition, I create mapping for them in order to support CIM fields (fields alias).

When I see my logs in Search app, all of the records contain the field "action" but — the problem is that I can't find this field on my left side (interesting fields) even if I choose 100% coverage (all other fields are fine).

I tired to look at my props.conf & transforms.conf files, but there is no special behavior for this field.

Can someone advise me how to deal with it?

Thanks

0 Karma
Reply

sudosplunk
Motivator
‎10-25-2018 07:05 AM

Hi,

Just so I understand this correctly, you checked on the "action" field by going into "All Fields" tab on the left side, correct. Because it works for me. (see the screenshot below)

If it doesn't work this way, try tweaking ui-pref.conf under your user ($SPLUNK_HOME/etc/users/) directory on search head (do this on all search heads if you're using search head cluster). HTH!

ui-prefs.conf:

[search]
display.events.fields = ["source","sourcetype","host","index","version"]

alt text

Preview file
1 KB
0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎10-24-2018 01:22 PM

hi @shayhibah

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

vishaltaneja070
Motivator
‎10-24-2018 12:56 AM

Hello @shayhibah

I think the issue seems to be with regex only .

What I can suggest you here, you can directly extract the filed directly using Splunk WEB UI using regex (On search screen, extract more fields). and assign it the name action. That stanza will be automatically added to props.conf and transforms.conf

0 Karma
Reply

shayhibah
Path Finder
‎10-24-2018 09:33 PM

hi @vishaltaneja07011993
using rex in my search screen works but after refreshing the page - it turns back into its bad behavior.

I just want to emphasize that I did use only field extraction as part of my source type transform (have not done it using the WEB UI directly). why only this field behave differently?

Just to give more info:

query:
index IN (main) sourcetype="my_log" AND severity IN (Medium,High,Critical)

transformation function:
([a-zA-Z0-9_]+)=([^|]+)

raw log:
time=1540422044|hostname=LS|severity=Critical|action=Detect|ifdir=inbound

Interesting fields:
hostname
ifdir
severity
time

Update:
In addition - I MUST MENTION THAT I HAVE MULTIPLE LOGS FROM THE SAME LOG FILE I SENT. THERE ARE RECORDS THAT THE ACTION FIELD IS EXTRACTED AND THERE ARE RECORD THAT THE ACTION FIELD IS NOT EXTRACTED (ALTHOUGH ITS IN THE RAW LOG).

0 Karma
Reply

vishaltaneja070
Motivator
‎10-24-2018 11:32 PM

Hello @shayhibah
What I suggest you here, if you are using the latest version of Splunk. Then there is a Data Quality dashboard, just check there is any data issue occurred.

That can give you better insight.

Thanks!

0 Karma
Reply

shayhibah
Path Finder
‎10-25-2018 12:13 AM

@vishaltaneja07011993

Unfortunately could not find something there..

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...