Solved: BUG: Automatic field extraction is flakey in versi...

the_wolverine · ‎03-15-2014

We're seeing high rate of inaccuracy of automatic field detection in Splunk 5.0.3 for data that is intentionally logged as key=value pair for explicit reason of making searching easy in Splunk.

Other than forcefully extracting our fields (using rex or props), what can be done?

the_wolverine · ‎06-10-2014

This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.

We have figured out a workaround which is to use "| fields <field1> <field2>" OR "| fillnull <field1> <field2>" but you obviously need to be aware of the bug in order to know to do this.

View solution in original post

the_wolverine · ‎06-10-2014

This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.

We have figured out a workaround which is to use "| fields <field1> <field2>" OR "| fillnull <field1> <field2>" but you obviously need to be aware of the bug in order to know to do this.

grijhwani · ‎03-16-2014

Are you sure it is not a bug which is already fixed in a later v5 release? Before contacting support I would be inclined to install the latest version - currently standing at 5.0.7.

Ledion_Bitincka · ‎03-16-2014

I'd recommend that you file a case with support making sure to include some sample/scrubbed data

BUG: Automatic field extraction is flakey in version 5.0.3 (not detecting fields when key=value pair)

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms