topic Re: How to use regex to view data? in Splunk Enterprise

How to use regex to view data?

robertlynch2020 — Tue, 17 May 2022 16:05:31 GMT

I have data that i can't access unless I use regex

but when I run the command that Splunk gives me I get the empty return.

I can use this SPL, but the performance is not good. How do I get the attribute to work for this, so I can get the performance gains.

Is it the only way I can see the data? what can i do as the performance is very bad.

Re: How to use regex to view data?

somesoni2 — Tue, 17 May 2022 16:11:20 GMT

How is the field "log.type" extracted (is in raw data OR calculated OR lookup etc)? Does this work?

index="murex_logs" log.type=http

Re: How to use regex to view data?

robertlynch2020 — Tue, 17 May 2022 16:28:12 GMT

This is the raw data. Its coming in via HEC.

log.type=http does not work.

However the strange this is one one environment 8.1

log.type="http" does work and 8.2.5 doesn't. However regex always works. So I looking for a way that is reliable. Its very strange.

Re: How to use regex to view data?

richgalloway — Tue, 17 May 2022 16:36:04 GMT

Have you tried single quotes instead of doubles? Single quotes tell Splunk to treat the quoted string as a field name.

index="murex_logs" 'log.type'=http

Re: How to use regex to view data?

robertlynch2020 — Tue, 17 May 2022 17:38:19 GMT

This did not work in 8.2.5 - thanks for you help

Rob

Re: How to use regex to view data?

robertlynch2020 — Tue, 17 May 2022 17:51:19 GMT

I think its a bug in Splunk as when i downgraded to 8.1 it works

Re: How to use regex to view data?

richgalloway — Tue, 17 May 2022 17:53:48 GMT

OK. That was a long-shot. Here are a couple other ideas.

Filter using where instead of in the base query. Yes, this is less efficient, but it might work.

index="murex_logs" | where 'log.type'="http"

Rename the field.

index="murex_logs" | rename log.type as log_type | where log_type="http"

Re: How to use regex to view data?

PickleRick — Tue, 17 May 2022 17:58:01 GMT

Are you sure you're not doing something fancy with the fields? The warning suggests you're extracting a huge number of fields. That might be affecting the processing of your search.

Re: How to use regex to view data?

robertlynch2020 — Wed, 18 May 2022 09:39:00 GMT

So this will only work if I put a table command into it, but i think the table command will slow it down.

As you can see this does not work.

Do you think it's a bug in Splunk or because i am getting in HEC OT data?

Re: How to use regex to view data?

robertlynch2020 — Wed, 18 May 2022 12:36:32 GMT

Also to add adding the table command slowed the search down big time from 137 seconds to 61 seconds.

So i can't use the table command to fix this

The first screenshot is from 8.2.5

The second screenshot is from 8.1

do you think i should make a bug to Spunk or do you have a few more ideas, also thanks again for all the efforts 🙂

Re: How to use regex to view data?

robertlynch2020 — Wed, 18 May 2022 12:39:01 GMT

THis error was not happeing in 8.2.5 only in 8.1.

I needed to add the prop in limits.conf to get rid of it.

[kv] # Maximum number of key-value pairs that can be extracted at index time. # Set this value to 0 to not impose any limit on indexed kv limit. indexed_kv_limit = 0

I don't know why i was getting it as i don't see over 100 fields in the data.