https://community.splunk.com/t5/Getting-Data-In/Splunk-6-auto-key-value-extraction-not-working/m-p/99279#M20769 <P>I have recently installed splunk 6, almost certain this worked fine in splunk 5...</P> <P>I have extracted a number of fields from one index into another using the "| collect index=events" function. Now I have the fields in the new index and the raw data contains the key values i expected, but they are not being auto extracted by splunk?</P> <P>I have also tested this with some other data which also doesn't extract, and turned on verbose mode.</P> <P>Example data:</P> <P>time="2013/06/06 15:15:15" data="test" seconddata="test2"</P> <P>05/09/2013 23:45:39 +0100, info_search_time=1381837886.531, bytes=214, client_ip="192.168.0.1", company=test1, destination_ip="10.0.0.1", domain="example.com", method=GET, reason="Not Found", status=404, uri="/test-env"</P> <P>Question: Is there some global setting to turn on KV extraction? Otherwise is it something I have broken?</P> <P>Thanks,</P> <P>Michael</P> Mon, 28 Sep 2020 14:58:19 GMT mmmmssss 2020-09-28T14:58:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-6-auto-key-value-extraction-not-working/m-p/99279#M20769 <P>I have recently installed splunk 6, almost certain this worked fine in splunk 5...</P> <P>I have extracted a number of fields from one index into another using the "| collect index=events" function. Now I have the fields in the new index and the raw data contains the key values i expected, but they are not being auto extracted by splunk?</P> <P>I have also tested this with some other data which also doesn't extract, and turned on verbose mode.</P> <P>Example data:</P> <P>time="2013/06/06 15:15:15" data="test" seconddata="test2"</P> <P>05/09/2013 23:45:39 +0100, info_search_time=1381837886.531, bytes=214, client_ip="192.168.0.1", company=test1, destination_ip="10.0.0.1", domain="example.com", method=GET, reason="Not Found", status=404, uri="/test-env"</P> <P>Question: Is there some global setting to turn on KV extraction? Otherwise is it something I have broken?</P> <P>Thanks,</P> <P>Michael</P> Mon, 28 Sep 2020 14:58:19 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-6-auto-key-value-extraction-not-working/m-p/99279#M20769 mmmmssss 2020-09-28T14:58:19Z https://community.splunk.com/t5/Getting-Data-In/Splunk-6-auto-key-value-extraction-not-working/m-p/99280#M20770 <P>I see the same behavior when I tried looking at one of the S.O.S dashboards after upgrading to Splunk 6. While some fields (searchid etc) are auto extracted. The total_run_time, event_count are not.</P> <P>5/9/14 <BR /> 2:16:53.552 PM<BR /><BR /> Audit:[timestamp=05-09-2014 14:16:53.552, user=splunk, action=search, info=canceled, search_id='1399670142.1517.xyz', total_run_time=2.75, event_count=0, result_count=0, available_count=0, scan_count=0, drop_count=0, exec_time=1399670142, api_et=1397026800.000000000, api_lt=1399670142.000000000, search_et=1397026800.000000000, search_lt=1399670142.000000000, is_realtime=0, savedsearch_name=""][n/a]<BR /> 5/9/14 <BR /> 2:15:42.334 PM<BR /><BR /> Audit:[timestamp=05-09-2014 14:15:42.334, user=splunk, action=search, info=granted , search_id='1399670142.1517.xyz', search='search index=splunk', autojoin='1', buckets=300, ttl=600, max_count=10000, maxtime=8640000, enable_lookups='1', extra_fields='*', apiStartTime='Wed Apr 9 00:00:00 2014', apiEndTime='Fri May 9 14:15:42 2014', savedsearch_name=""][n/a]</P> Mon, 28 Sep 2020 16:37:00 GMT https://community.splunk.com/t5/Getting-Data-In/Splunk-6-auto-key-value-extraction-not-working/m-p/99280#M20770 tupadhyaya 2020-09-28T16:37:00Z