https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470427#M192143 <P>Especially my purpose is trying to fix irrelevant values on my search results at field 7 side.<BR /> I've attached 2 screen shots for clarification. <BR /> <IMG src="https://i.stack.imgur.com/YYAZg.png" alt="alt text" /></P> <P><IMG src="https://i.stack.imgur.com/MJEiT.jpg" alt="alt text" /></P> Wed, 03 Jun 2020 12:55:50 GMT dunyaelbasan 2020-06-03T12:55:50Z https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470425#M192141 <P>I have a problem on this search below for last 25 days:</P> <P>index=syslog Reason="Interface physical link is down" OR Reason="Interface physical link is up" NOT mainIfname="Vlanif*" "nw_ra_a98c_01.34_krtti"</P> <P>Normally field7 values are like these ones:</P> <P>Region field7 Date mainIfname Reason count<BR /> ASYA nw_ra_m02f_01.34pndkdv may 9 GigabitEthernet0/3/6 Interface physical link is up 3<BR /> ASYA nw_ra_m02f_01.34pldtwr may 9 GigabitEthernet0/3/24 Interface physical link is up 2</P> <P>But recently they wee like this:</P> <P>00:00:00.599 nw_ra_a98c_01.34_krtti <BR /> 00:00:03.078 nw_ra_a98c_01.34_krtti </P> <P>I think problem may be related to:</P> <P>It started to happen after the disk free alarm. (-Cri- Swap reservation, bottleneck situation, current value: 95.00% exceeds configured threshold: 90.00%. : 07:17 17/02/20)<BR /> Especially This is not about disk, it's about swap space, the application finishes memory and then goes to swap use. There was memory increase before, but obviously it was insufficient, it is switching to swap again.<BR /> I need to understand: ''Why they use so many resources?''</P> Wed, 30 Sep 2020 05:36:41 GMT https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470425#M192141 dunyaelbasan 2020-09-30T05:36:41Z https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470426#M192142 <P>It's not clear what problem you're asking about. Is the problem with a Splunk search, your Ethernet interfaces, disk space, swap space, or memory use?</P> Wed, 03 Jun 2020 12:50:10 GMT https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470426#M192142 richgalloway 2020-06-03T12:50:10Z https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470427#M192143 <P>Especially my purpose is trying to fix irrelevant values on my search results at field 7 side.<BR /> I've attached 2 screen shots for clarification. <BR /> <IMG src="https://i.stack.imgur.com/YYAZg.png" alt="alt text" /></P> <P><IMG src="https://i.stack.imgur.com/MJEiT.jpg" alt="alt text" /></P> Wed, 03 Jun 2020 12:55:50 GMT https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470427#M192143 dunyaelbasan 2020-06-03T12:55:50Z https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470428#M192144 <P>Please share some sample events (not just field7) and the props.conf settings for the sourcetype.</P> Wed, 03 Jun 2020 14:58:51 GMT https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/470428#M192144 richgalloway 2020-06-03T14:58:51Z https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/503982#M192145 <P><SPAN>I've attached the xample events, one from the normal situation, and one from the problematic situation.</SPAN></P><P>&nbsp;</P><P><A href="https://drive.google.com/drive/folders/1IaswXnbWTORN0ES0NzL0ceDAHr4iIyS6?usp=sharing" target="_blank">https://drive.google.com/drive/folders/1IaswXnbWTORN0ES0NzL0ceDAHr4iIyS6?usp=sharing</A></P><P>&nbsp;</P><P>inside of props.conf:</P><P>&nbsp;</P><P>TRANSFORMS-ddos_routing = ddos_routing</P><P>TRANSFORMS-ddos_sourcetype_cloud = ddos_cloud</P><P>TRANSFORMS-ddos_sourcetype_host = ddos_host</P><P>TRANSFORMS-ddos_sourcetype_tms = ddos_tms</P><P>TRANSFORMS-ddos_sourcetype_profiled = ddos_profiled</P><P>TRANSFORMS-access_routing = access_routing</P><P>TRANSFORMS-access_sourcetype_switch = access_switch</P><P>TRANSFORMS-access_sourcetype_gpon = access_gpon</P><P>TRANSFORMS-access_sourcetype_router = access_router</P> Thu, 11 Jun 2020 18:31:55 GMT https://community.splunk.com/t5/Splunk-Search/Corrupted-fields-problem/m-p/503982#M192145 dunyaelbasan 2020-06-11T18:31:55Z