Re: Field extractions are incomplete for juniper

nathanluke86 · ‎11-19-2019

Hello,

We are extracting juniper logs using the Juniper addon and are getting random fields as pictured.

Could someone explain why this might be happening

DavidHourani · ‎11-19-2019

Hi @nathanluke86,

Are you on a distributed env ? If so where have you installed the ad-on ?

Search time components of the TA should go on the search head to get the cleanest extractions possible.

In your case it seems that the auto-extractions are grabbing lots of weird fields and polluting your field list. In order to disable it modify your local props.conf to include KV_MODE = none that way auto-extraction will be disabled.

More info here:
https://docs.splunk.com/Documentation/Splunk/8.0.0/Knowledge/Automatickey-valuefieldextractionsatsea...

Cheers,
David

nathanluke86 · ‎11-20-2019

Hi @DavidHourani

We are in a distributed env. I have checked props.conf and KV_MODE is set to none. The TA is installed on all forwarders and Search heads.

Thanks

DavidHourani · ‎11-20-2019

Are those fields showing over all time ? Click on one of the weird fields and check what the event looks like, wether its broken or not.

Also check if there are other places where the sourcetype might be grabbing its config from use btool to verify that.

nathanluke86 · ‎11-26-2019

The log is not complete when viewing these weird extractions

Thanks

Field extractions are incomplete for juniper

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...