Archive

Field Extraction when text have %%01 and others Symbols The search of the value Doesn't work

Path Finder

Hi

I have a log like this

Mar 10 20:19:39 10.18.10.11 Mar 10 2016 20:18:07 HIPDR-M909-X8-CA %%01SHELL/5/CMDRECORD(s)[37105]:Recorded command information. (Task=VT1, Ip=10.2.11.10, VpnName=O_G, User=65w, AuthenticationMethod="Local-user", Command="ping -c 100 -vpn-instance DAT 1.23.30")

I have a Field extraction in search mode:

sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?<sig>\w+\/\d+\/\w+)\("

So if I want to search like this

sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?<sig>\w+\/\d+\/\w+)\("| search sig="SHELL/5/CMDRECORD"

Works like charm

But if I save the extraction in Fields Extractions, all the permissions are global, we restart splunk several times and do the extract reload=true

So when I do the search:

sourcetype="huawei" sig="SHELL/5/CMDRECORD"

Shows 0 Results

Any Idea what could be happening?

Tags (1)
0 Karma
1 Solution

Influencer

Your extraction starts with a partial token, which requires an extra edit in fields.conf to work. See the docs: http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...

The reason why gets into how segmentation and searching work... in basic terms, at index time, Splunk breaks up your events into words based on punctuation and keeps track of what buckets of data have what words. It then converts your search into words that should appear if your search matches data. If not all words are present for a big bucket of data, that bucket could be tossed prior to Splunk extracting parts of words to see that your search actually does match. (without the fields config, which says essentially your field will not appear as indexed words)

I would guess that in your current configuration that this search might actually work without fixing fields.conf:

sourcetype="huawei" sig=* | search sig="SHELL/5/CMDRECORD"

View solution in original post

Influencer

Your extraction starts with a partial token, which requires an extra edit in fields.conf to work. See the docs: http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...

The reason why gets into how segmentation and searching work... in basic terms, at index time, Splunk breaks up your events into words based on punctuation and keeps track of what buckets of data have what words. It then converts your search into words that should appear if your search matches data. If not all words are present for a big bucket of data, that bucket could be tossed prior to Splunk extracting parts of words to see that your search actually does match. (without the fields config, which says essentially your field will not appear as indexed words)

I would guess that in your current configuration that this search might actually work without fixing fields.conf:

sourcetype="huawei" sig=* | search sig="SHELL/5/CMDRECORD"

View solution in original post

Path Finder

Thanks

The creation in fields.conf the stanza

[sig]
INDEXED = False
INDEXED_VALUE = False

Solve the be behavior

And now work searches like:
sourcetype="huawei" sig=SNMP

0 Karma