Field Extractions Not working in Splunk Cloud

anandhalagarasa · ‎08-12-2019

Hi Team,

We have few aplication logs which are getting captured from Microsoft Storage Blobs using Microsoft Splunk Add-on for Microsoft Cloud Services. I can see the logs are getting ingested into Splunk Cloud without any issues and the data seems to be in JSON format. Actually we have around 12 services hosted in our environment but when i search the data with index and sourcetype i can able to fetch the logs only for 11 services (In extracted fields i can see only 11 service name) and for the rest 1 service i need to search the logs mentioning the index,sourcetype & service name then only the 12 th service is getting visible. Else if i search the data with index and sourcetype its not getting visible in the Field extractions.

Also one more thing is that in Splunk Cloud we didn't do any field extractions but the fields seems to be auto extracted and those auto extracted fields seems to be not visible when i navigate to Fields -->Field extractions. My actual requirement is that if i search the data with index and sourcetype Splunk needs to fetch the data for all the 12 services with all their data.

One more high lightened thing is that the 11 service name seems to be of same structure in JSON format whereas for the 12 Service Name is quite some different in structure of JSON. But all the logs are getting ingested with same source and sourcetype. So kindly help ti fix this issue.

woodcock · ‎08-12-2019

Splunk is very particular about the "JSON" that it parses. If your events do not pass this tool, then Splunk will not parse them as JSON:
https://jsonlint.com/

Also, you are almost certainly using Splunk's default settings which use KV_MODE=auto. You should override this and set KV_MODE=json for your event sourcetype(s) (after ensuring that they really are fully valid JSON). Even so, you will never field any Field Extractions for them unless you create them, which you are free to do.

anandhalagarasa · ‎08-12-2019

Hi can anyone help on my request.

richgalloway · ‎08-12-2019

If the 12th source uses a different json format than the other 11 then it should have a different sourcetype. Each sourcetype should have properties defined telling Splunk how to parse the events in that sourcetype. You can do that by installing apps from Splunkbase or by creating your own apps.

---
If this reply helps you, Karma would be appreciated.

anandhalagarasa · ‎08-12-2019

@richgalloway, It uses the same source and sourcetype and the logs are getting ingested into Splunk Cloud. But if we click the auto extracted fields it shows only the 11 service name and not the 12th one.

So my query is that can be able to modify the auto extracted fields in Splunk Cloud if yes where can i check and modify it.

richgalloway · ‎08-14-2019

I understand all 12 are using the same sourcetype. However, if they are not all using the exact same format then they should not be using the same sourcetype. Different input formats require different sourcetypes.

Auto-extractions are not changed. They are replaced with different extractions by installing an app that has appropriate props.conf and transforms.conf settings for the sourcetype.

---
If this reply helps you, Karma would be appreciated.

Field Extractions Not working in Splunk Cloud

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life