I am trying to use Splunk to manage syslog messages at home from my router (which will use way less than 500MB a day). Using a custom firewall ruleset, I get syslog messages in this format (some field values redacted):
Dec 26 10:10:04 kernel: R0 NET_SCAN_IPV4-IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:08:00 SRC=<SRC_IP> DST=<DST_IP> LEN=40 TOS=0x00 PREC=0x20 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=1
So I went to create a custom field extraction regex (as nothing default in Splunk seems to handle syslog messages in this format), and let it develop the regex to parse out the rule name, which has values like NET_SCAN_IPV4, ROUTER_IPV4_DENY, etc. There are IPV6 versions, too, just not active yet. I test, and then go to save the regex, and I get this error thrown at me:
500 Internal Server Error
TypeError: object of type 'NoneType' has no len()
This page was linked to from http://foobar:8000/en-US/ifx?sid=1324913742.32&offset=0&namespace=search.
You are using foobar:8000, which is connected to splunkd @113966 at https://127.0.0.1:8089 on Mon Dec 26 11:03:46 2011.
Is this a bug in the current version of Splunk? I believe it is 4.2.5, downloaded yesterday (12/25/2011).
Yeah, that's broken in 4.2.5 (just reproed)
I'll file a bug if one has not been filed yet.
Edit: already fixed in 4.3 bug to reference: SPL-46679
Yeah, that's broken in 4.2.5 (just reproed)
I'll file a bug if one has not been filed yet.
Edit: already fixed in 4.3 bug to reference: SPL-46679
Genti, thanks - when I looked there were my custom fields!
4.3 will come out soon. not sure of the release date though.
the fix might be back-ported, but there is nothing out yet. so you know, its just the IFX, and actually the error does not mean that the field extraction did not get saved. At least in my case, when i tried to do it again, it told me that one existed already, and lo and behold, the field got extracted... so, it gives an error when you save it in the UI, but the config change is also made. So you should be OK. Its kind of purely visual - at least for me
Any chance we can see a backport for this fix? I just smacked into it myself.
Forgot to ask, where can we get 4.3? Or when is it set to be released? Is there a hotfix by chance?
Sounds good, thanks!
Yes, that is an unhelpful error message. Can you show the regex?