topic Why is one field not been extracted as expected? in Splunk Search

Why is one field not been extracted as expected?

glpadilla_sol — Wed, 18 May 2022 23:05:25 GMT

Hello everyone,

I have an issue with one field let say foo

These are the scenarios:

1. If I run a search just with the index that contains the logs I can see the field foo at the fields bar perfectly and also I can see the values.

2. If I select the field and is added to the search for example index=bar foo="hello" the results are ZERO even though I select that value from the previous search (where I saw the field and the values at the field bar).

3. If I add the sourcetype at the search example index=bar sourcetype=net foo="hello" I can see results but not the expected results, usually I get less than the real number and the number of results are random in the same interval of time.

Configuration:

I am using the automatic key-value field extraction KV_MODE=json to try to extract the fields of a source. The sources is sending the logs in JSON format.

#props.conf - SH configuration and indexers

[net]
CHARSET=UTF-8
KV_MODE=json
TRUNCATE = 99999
LINE_BREAKER=([\r\n]+)
NO_BINARY_CHECK=true
SHOULD_LINEMERGE=true

#inputs.conf - forwarder

[monitor:///pat/*.json]
sourcetype= net
index = bar
disabled = false
crcSalt = <SOURCE>
ignoreOlderThan = 1d

Version 8.2.2

Cluster enviroment.

Notes:

Also I tried with another sourcetype and data not using the KV_MODE instead I used the EXTRACT-foo and I had the same results, the field doesn't show results when is added to the search.

The rest all the fields are not having this issue, they work perfectly.

Thank you for the help.

Re: Why is one field not been extracted as expected?

isoutamo — Thu, 19 May 2022 06:06:02 GMT

Can you post a sample from your json file? Preferably from source as raw events inside <> -block.

Re: Why is one field not been extracted as expected?

VatsalJagani — Thu, 19 May 2022 06:26:28 GMT

@glpadilla_sol - Try searching like this:

index=bar foo="*hello*" | where foo="hello"

(added wildcard(*) in the search command.)

I hope this helps!!!

Re: Why is one field not been extracted as expected?

glpadilla_sol — Thu, 19 May 2022 17:30:08 GMT

Hello @VatsalJagani thank you for the answer, but the issue is not the search. I mean no matter if I use * or not we are not getting results.

The issue is that I can see the field and the values at the field bar, but no when I add it at the search.

Kind Regards.

Re: Why is one field not been extracted as expected?

VatsalJagani — Thu, 19 May 2022 18:26:02 GMT

@glpadilla_sol - It's not because of the search you need to add *.

But there is some concept about minor and major segmentation that sometimes will not allow you to get results even when you search the extracted value.

Re: Why is one field not been extracted as expected?

glpadilla_sol — Thu, 19 May 2022 19:26:49 GMT

Thank you again.

I tried with that search and no results, if I add the sourcetype,

index=bar sourcetype="test" foo="*hello*" | where foo="hello"

I can see results but not all the results, it's a partial view, that also happens when I run this

index=bar sourcetype ="test" foo="hello"

Both scenarios I got the same results.

Also I notice at the search.log that the search is running against some extractions that are not part of that sourcetype. I mean we have the same field been extracted into another sourcetype, but at indexing time using props.conf and transforms.conf.

Can this for some reason be related?

Event though are different sourcetypes?

Thank you for your inputs.

Re: Why is one field not been extracted as expected?

glpadilla_sol — Thu, 19 May 2022 19:30:42 GMT

Hello,

Unluckily I cannot share that content because is confidential.

But is a normal JSON like this

{"backendhost": "2.11.27.94", "backendport": 1001, "console_device": "unknown", "console_name": "sdj934", "domain": "domainname", "frontendport": 8347, "frontendprotocol": "tcp"}

Regards.

Re: Why is one field not been extracted as expected?

isoutamo — Thu, 19 May 2022 20:13:44 GMT

Maybe this explains it https://community.splunk.com/t5/Splunk-Search/Why-is-it-when-you-don-t-put-a-wild-card-when-searching-after/m-p/585674#M204058 ?

Re: Why is one field not been extracted as expected?

cpetterborg — Fri, 20 May 2022 14:59:40 GMT

It kind of looks like you might have created an indexed field extraction using EXTRACT-foo. If that is the case, try the following search:

index=bar foo::"*hello*"

Re: Why is one field not been extracted as expected?

glpadilla_sol — Mon, 27 Jun 2022 20:59:49 GMT

I found the root cause, updating in case someone else is facing the same issue:

https://www.splunk.com/en_us/blog/tips-and-tricks/cannot-search-based-on-an-extracted-field.html?_gl=1*at4wpd*_ga*MjE0MDA2MDA2MS4xNjI4ODcyNDg2*_gid*MTAwMjUwNDQwMy4xNjUzNDE3ODYy&_ga=2.247787271.1002504403.1653417862-2140060061.1628872486&locale=en_us

The solution

$SPLUNK_HOME/etc/system/local/fields.conf
[MyField]
INDEXED_VALUE = false