All Apps and Add-ons
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extractions are incomplete for juniper

nathanluke86
Communicator
‎11-19-2019 01:14 AM

Hello,

We are extracting juniper logs using the Juniper addon and are getting random fields as pictured.

Could someone explain why this might be happening

alt text

Preview file
24 KB
0 Karma
Reply

DavidHourani
Super Champion
‎11-19-2019 01:52 AM

Hi @nathanluke86,

Are you on a distributed env ? If so where have you installed the ad-on ?

Search time components of the TA should go on the search head to get the cleanest extractions possible.

In your case it seems that the auto-extractions are grabbing lots of weird fields and polluting your field list. In order to disable it modify your local props.conf to include KV_MODE = none that way auto-extraction will be disabled.

More info here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsea...

Cheers,
David

0 Karma
Reply

nathanluke86
Communicator
‎11-20-2019 02:00 AM

Hi @DavidHourani

We are in a distributed env. I have checked props.conf and KV_MODE is set to none. The TA is installed on all forwarders and Search heads.

Thanks

0 Karma
Reply

DavidHourani
Super Champion
‎11-20-2019 02:38 AM

Are those fields showing over all time ? Click on one of the weird fields and check what the event looks like, wether its broken or not.

Also check if there are other places where the sourcetype might be grabbing its config from use btool to verify that.

0 Karma
Reply

nathanluke86
Communicator
‎11-26-2019 12:13 AM

The log is not complete when viewing these weird extractions

Thanks

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...