Solved: Issue with automatic field detection

dominiquevocat · ‎08-14-2013

We have customized our internal applications to a custom key=value schema and it usually works well. Splunk usually recognizes the fields just fine. However in one case it fails.

If the Logline contains
JSocketPlugInImpl: handled :/Workflow/getNextActions

Then the following line
Aug 14 14:34:51 172.26.1.10 14.08.2013 16:41:35 level=INFO stage=prod component=E3 application=evn version=V_06_02_08 service=/Workflow/getNextActions user=xXxXx JSocketPlugInImpl: handled :/Workflow/getNextActions, ReqLen[b]=1000, RspLen[b]=5505 (LogDecorator.java, line 118)

gives me in the field user "xXxXx JSocketPlugInImpl: handled :/Workflow/getNextActions"

Is there something i need to tweak? Or do we have to always put values into " ?

A working logline would be
Aug 15 07:08:26 172.26.1.10 15.08.2013 09:09:51 level=INFO stage=prod component=E3 application=evn version=V_06_02_08 service=/Workflow/setContainer user=xXxXx HPVTraceHandler: Execution of request /Workflow/setContainer [375961] RC=0 took ms: 0 (LogDecorator.java, line 118)

Seems to only affect lines with "JSocketPlugInImpl:"

Ayn · ‎08-14-2013

Splunk will by default recognize field=value pairs and will also by default use "," as a delimiter between field value pairs. So this is simply default behaviour.

View solution in original post

dominiquevocat · ‎08-15-2013

I have augmented the description.

Ayn · ‎08-14-2013

Splunk will by default recognize field=value pairs and will also by default use "," as a delimiter between field value pairs. So this is simply default behaviour.

dominiquevocat · ‎08-15-2013

We'll change the app logging to see if it helps but yeah makes sense. Will close the question when we have verified this.

lukejadamec · ‎08-14-2013

Can you post an event that does not cause this problem?

Issue with automatic field detection

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life