https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324790#M60426 <P>Thank you I've opened up a ticket on this and have requested that a bug be raised.</P> <P>Cheers</P> Fri, 13 Apr 2018 22:56:14 GMT pkeller 2018-04-13T22:56:14Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324788#M60424 <P>It seems that scheduler.log events are all prepared for parsing </P> <P>04-09-2018 23:35:04.548 +0000 ERROR SavedSplunker - <STRONG>savedsearch_id</STRONG>="nobody;my_lookups;Unix DHCP Refresh", <STRONG>message</STRONG>="Error in 'lookup' command: Lookups: The lookup table 'dhcp_lookup' does not exist or is not available.". No actions executed</P> <P>Yet, etc/app/search/default/props.conf is insistent on overwriting that so that it extracts EVERYTHING after "SavedSplunker - " into the the 'message' field.</P> <PRE><CODE>[scheduler] EXTRACT-fields = (?i)^(?:[^ ]* ){2}(?:[+\-]\d+ )?(?P&lt;log_level&gt;[^ ]*)\s+(?P&lt;component&gt;[^ ]+) - (?P&lt;message&gt;.+) </CODE></PRE> <P>So, now instead of message being: <STRONG>Error in 'lookup' command: Lookups: The lookup table 'dhcp_lookup' does not exist or is not available</STRONG></P> <P>it's expanded to:</P> <P>savedsearch_id="nobody;my_lookups;Unix DHCP Refresh", <STRONG>message</STRONG>="Error in 'lookup' command: Lookups: The lookup table 'dhcp_lookup' does not exist or is not available.". No actions executed<BR /> So the question is, why? And why choose the same fieldname that's already been used in the event itself?</P> <P>It seems that it would have been much more logical to have chosen a different fieldname than 'message'.</P> <P>Thank you</P> Tue, 29 Sep 2020 18:57:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324788#M60424 pkeller 2020-09-29T18:57:40Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324789#M60425 <P>I don't see that field extraction is version 6.2, so not sure in what version it was introduced. It seems like field extraction for the sourcetype <CODE>splunkd</CODE> has been copied there is and it's definitely wrong for sourcetype <CODE>scheduler</CODE>. I would raise this a bug.</P> Thu, 12 Apr 2018 21:58:28 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324789#M60425 somesoni2 2018-04-12T21:58:28Z https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324790#M60426 <P>Thank you I've opened up a ticket on this and have requested that a bug be raised.</P> <P>Cheers</P> Fri, 13 Apr 2018 22:56:14 GMT https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-overwrite-the-messages-field-in-scheduler-log/m-p/324790#M60426 pkeller 2018-04-13T22:56:14Z