Solved: BUG: Automatic field extraction is flakey in versi...

the_wolverine · ‎03-15-2014

We're seeing high rate of inaccuracy of automatic field detection in Splunk 5.0.3 for data that is intentionally logged as key=value pair for explicit reason of making searching easy in Splunk.

Other than forcefully extracting our fields (using rex or props), what can be done?

the_wolverine · ‎06-10-2014

This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.

We have figured out a workaround which is to use "| fields <field1> <field2>" OR "| fillnull <field1> <field2>" but you obviously need to be aware of the bug in order to know to do this.

View solution in original post

the_wolverine · ‎06-10-2014

This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.

We have figured out a workaround which is to use "| fields <field1> <field2>" OR "| fillnull <field1> <field2>" but you obviously need to be aware of the bug in order to know to do this.

grijhwani · ‎03-16-2014

Are you sure it is not a bug which is already fixed in a later v5 release? Before contacting support I would be inclined to install the latest version - currently standing at 5.0.7.

Ledion_Bitincka · ‎03-16-2014

I'd recommend that you file a case with support making sure to include some sample/scrubbed data

BUG: Automatic field extraction is flakey in version 5.0.3 (not detecting fields when key=value pair)

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...