Hi,
I have an extract with the name "remotesystemid" but when i am executing the below query it is giving values with null column.
index=abc sourcetype=xyz | timechart count by remotesystemid
If i am using ( | stats values(*) as * by remotesystemid ) with the above given command to exclude null value then it is giving no result found.
Kindly suggest where i am wrong?
Thanks
Your field extraction for remotesystemid
are not working but we can do this inside your search; try this:
index=abc sourcetype=xyz | rex "RemoteSystemId is (?<remotesystemid>\S+)" | timechart count by remotesystemid
First on splunk server its found under user directory and it has following entries under it -
[sc-kofax-extracts]
[sc-nova-email]
[ng-pay]
With this it is found under (etc/system/local/) as well and entries are
[my-onp-front]
TRANSFORMS-drop_noise = heartbeat
and on my local system from where i am pushing the data to splunk server through universal forwarder, its found under ($SPLUNK_HOME\SplunkUniversalForwarder\etc\system\default) and under this there are no entries related to "remotesystemid"
So this seems to be the problem. The field "remotesystemid" is never extracted, so Splunk does not know how to handle your request.
I suggest you check out the Field Extractor Manual: http://docs.splunk.com/Documentation/Splunk/6.2.6/Knowledge/ExtractfieldsinteractivelywithIFX
After you have added a field extraction for remotesystemid, you can go on with your search.
Hey Dennis.. the page you have shared with me and the procedure that is mentioned on the page for making field extraction, i have made my field extraction in the same way as it is mentioned on the page so do you have any idea why Splunk behave weird. Thanks
@ Dennis - the last comment you have posted i am not able to see that post on our forum but though getting alert through email.. so on basis of that here it is the answer
(?i) Removed (?P[^ ]+)
Thanks
after P there is remotesysid in signs <> .. don't understand why it is not taking in above mentioned comments.
Hey Dennis,
the last comment that you have posted i am not able to see that comment on this forum but though getting alert on my mail id.. so on basis of your questionbelow given is the "Extractions/Transform"
(?i) Removed (?P[^ ]+)
Thanks
If you made the field extraction like mentioned in the tutorial, there should be an entry in your local props.conf file for it.
Can you check "Settings => Fields => Field Extractions" if your extraction shows up? Please post the regex under "Extractions/Transform"
My logs are like given below from which i am making extraction "remotesystemid"
INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
INFO [http-8080-Processor24] 09-15 15:21:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
Then why Splunk not taking it as a extraction? do you have any suggestions? Thanks
My data is like given below -
INFO [http-8080-Processor22] 09-15 15:22:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)
INFO [http-8080-Processor24] 09-15 15:21:40 RemoteSystemId is nullcom.basware.bt.access.RemoteSystemIDNullException: Remote-System is NULL! Check the URL (MessengerServlet.java:257)