All Apps and Add-ons

BUG: Automatic field extraction is flakey in version 5.0.3 (not detecting fields when key=value pair)

the_wolverine
Champion

We're seeing high rate of inaccuracy of automatic field detection in Splunk 5.0.3 for data that is intentionally logged as key=value pair for explicit reason of making searching easy in Splunk.

Other than forcefully extracting our fields (using rex or props), what can be done?

0 Karma
1 Solution

the_wolverine
Champion

This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.

We have figured out a workaround which is to use "| fields <field1> <field2>" OR "| fillnull <field1> <field2>" but you obviously need to be aware of the bug in order to know to do this.

View solution in original post

0 Karma

the_wolverine
Champion

This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.

We have figured out a workaround which is to use "| fields <field1> <field2>" OR "| fillnull <field1> <field2>" but you obviously need to be aware of the bug in order to know to do this.

0 Karma

grijhwani
Motivator

Are you sure it is not a bug which is already fixed in a later v5 release? Before contacting support I would be inclined to install the latest version - currently standing at 5.0.7.

0 Karma

Ledion_Bitincka
Splunk Employee
Splunk Employee

I'd recommend that you file a case with support making sure to include some sample/scrubbed data

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...