We're seeing high rate of inaccuracy of automatic field detection in Splunk 5.0.3 for data that is intentionally logged as key=value pair for explicit reason of making searching easy in Splunk.
Other than forcefully extracting our fields (using rex or props), what can be done?
This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.
We have figured out a workaround which is to use "| fields <field1> <field2>
" OR "| fillnull <field1> <field2>
" but you obviously need to be aware of the bug in order to know to do this.
This is a confirmed bug which I understand also exists in versions 6.0x and 6.1.1.
We have figured out a workaround which is to use "| fields <field1> <field2>
" OR "| fillnull <field1> <field2>
" but you obviously need to be aware of the bug in order to know to do this.
Are you sure it is not a bug which is already fixed in a later v5 release? Before contacting support I would be inclined to install the latest version - currently standing at 5.0.7.
I'd recommend that you file a case with support making sure to include some sample/scrubbed data