Solved: Re: Extract not giving the exact result - Page 2

sunnyparmar · ‎09-21-2015

Hi,

I have an extract with the name "remotesystemid" but when i am executing the below query it is giving values with null column.

index=abc sourcetype=xyz | timechart count by remotesystemid

If i am using ( | stats values(*) as * by remotesystemid ) with the above given command to exclude null value then it is giving no result found.

Kindly suggest where i am wrong?

Thanks

woodcock · ‎09-22-2015

Your field extraction for remotesystemid are not working but we can do this inside your search; try this:

index=abc sourcetype=xyz | rex "RemoteSystemId is (?<remotesystemid>\S+)" | timechart count by remotesystemid

View solution in original post

sunnyparmar · ‎09-21-2015

First on splunk server its found under user directory and it has following entries under it -

[sc-kofax-extracts]
[sc-nova-email]
[ng-pay]

With this it is found under (etc/system/local/) as well and entries are

[my-onp-front]
TRANSFORMS-drop_noise = heartbeat

and on my local system from where i am pushing the data to splunk server through universal forwarder, its found under ($SPLUNK_HOME\SplunkUniversalForwarder\etc\system\default) and under this there are no entries related to "remotesystemid"

DennisMohn · ‎09-21-2015

So this seems to be the problem. The field "remotesystemid" is never extracted, so Splunk does not know how to handle your request.

I suggest you check out the Field Extractor Manual: http://docs.splunk.com/Documentation/Splunk/6.2.6/Knowledge/ExtractfieldsinteractivelywithIFX

After you have added a field extraction for remotesystemid, you can go on with your search.

sunnyparmar · ‎09-21-2015

Hey Dennis.. the page you have shared with me and the procedure that is mentioned on the page for making field extraction, i have made my field extraction in the same way as it is mentioned on the page so do you have any idea why Splunk behave weird. Thanks

sunnyparmar · ‎09-21-2015

@ Dennis - the last comment you have posted i am not able to see that post on our forum but though getting alert through email.. so on basis of that here it is the answer

(?i) Removed (?P[^ ]+)

Thanks

sunnyparmar · ‎09-21-2015

after P there is remotesysid in signs <> .. don't understand why it is not taking in above mentioned comments.

sunnyparmar · ‎09-21-2015

Hey Dennis,

the last comment that you have posted i am not able to see that comment on this forum but though getting alert on my mail id.. so on basis of your questionbelow given is the "Extractions/Transform"

(?i) Removed (?P[^ ]+)

Thanks

DennisMohn · ‎09-21-2015

If you made the field extraction like mentioned in the tutorial, there should be an entry in your local props.conf file for it.

Can you check "Settings => Fields => Field Extractions" if your extraction shows up? Please post the regex under "Extractions/Transform"

sunnyparmar · ‎09-21-2015

My logs are like given below from which i am making extraction "remotesystemid"

INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
INFO [http-8080-Processor24] 09-15 15:21:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)

Then why Splunk not taking it as a extraction? do you have any suggestions? Thanks

sunnyparmar · ‎09-21-2015

My data is like given below -

INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
INFO [http-8080-Processor24] 09-15 15:21:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)

Extract not giving the exact result

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio