topic Re: Is there any way to selectively avoid automatic field extraction? in Splunk Search

Is there any way to selectively avoid automatic field extraction?

sideview — Sat, 12 Feb 2011 05:42:52 GMT

I have multiline events where there's a fair bit of auto-kv extraction that is good, but then there's a lot of noise as well.

I can create regexes to match the really noisy bits and this works well. I nearly get perfect coverage on the high-value fields that I actually need.

The problem is that even when I have a regex matching, sometimes the same field appears in a foo=bar pair further down into the event, and the autoKV match is clobbering my more explicit regex match. Can someone point me in the right direction? (Obviously the answer is to make the logging less deranged, but it's not an option atm unfortunateley)

-------------------------------------
Fields: Field=GoodValue;foo=bar;jackiechan=theman
AnotherGoodField = AnotherGoodValue
User = bob
.....
Field : BadNoisyValueThatClobbersMyGoodValue
-------------------------------------

One idea is - can I tell the autokv stuff not to pay attention to colons? All the colon stuff is hideously noisy in this sourcetype.

Re: Is there any way to selectively avoid automatic field extraction?

Ron_Naken — Sat, 12 Feb 2011 06:35:03 GMT

You could disable KV discovery for a particular source, host, or sourcetype in props.conf. Maybe this would help:

PROPS.CONF:

[mysourcetype]
KV_MODE = none

Re: Is there any way to selectively avoid automatic field extraction?

Ron_Naken — Sat, 12 Feb 2011 06:37:20 GMT

I don't believe it looks for colons, by default.

Re: Is there any way to selectively avoid automatic field extraction?

sideview — Sun, 13 Feb 2011 04:04:41 GMT

From what I can tell it's definitely matching colons all over the place.

Re: Is there any way to selectively avoid automatic field extraction?

sideview — Sun, 13 Feb 2011 04:08:17 GMT

The trouble is that there's a huge number of fields for which I need the normal equals sign autokv extraction to work. I tried specifying a manual regex for equals but there's a bunch of subtlety that autokv just does really well when you look at it under a microscope and I couldnt get the manual regex to the desired standard.

Re: Is there any way to selectively avoid automatic field extraction?

gkanapathy — Tue, 15 Feb 2011 09:54:55 GMT

It does the colon matching in WinEventLog:: (and maybe WMI::) sourcetypes.

Re: Is there any way to selectively avoid automatic field extraction?

gkanapathy — Tue, 15 Feb 2011 09:55:25 GMT

The colon matching isn't handled by the KV_MODE switch, but by a different search-time extract.

topic Re: Is there any way to *selectively* avoid automatic field extraction? in Splunk Search

Is there any way to *selectively* avoid automatic field extraction?

Re: Is there any way to *selectively* avoid automatic field extraction?

Re: Is there any way to *selectively* avoid automatic field extraction?

Re: Is there any way to *selectively* avoid automatic field extraction?

Re: Is there any way to *selectively* avoid automatic field extraction?

Re: Is there any way to *selectively* avoid automatic field extraction?

Re: Is there any way to *selectively* avoid automatic field extraction?

topic Re: Is there any way to selectively avoid automatic field extraction? in Splunk Search

Is there any way to selectively avoid automatic field extraction?

Re: Is there any way to selectively avoid automatic field extraction?

Re: Is there any way to selectively avoid automatic field extraction?

Re: Is there any way to selectively avoid automatic field extraction?

Re: Is there any way to selectively avoid automatic field extraction?

Re: Is there any way to selectively avoid automatic field extraction?

Re: Is there any way to selectively avoid automatic field extraction?