Getting Data In

Saving a custom field extraction throws a python error?

kumba
Explorer

I am trying to use Splunk to manage syslog messages at home from my router (which will use way less than 500MB a day). Using a custom firewall ruleset, I get syslog messages in this format (some field values redacted):

Dec 26 10:10:04 kernel: R0 NET_SCAN_IPV4-IN=eth1 OUT= MAC=aa:bb:cc:dd:ee:ff:11:22:33:44:55:66:08:00 SRC=<SRC_IP> DST=<DST_IP> LEN=40 TOS=0x00 PREC=0x20 TTL=97 ID=256 PROTO=TCP SPT=6000 DPT=1

So I went to create a custom field extraction regex (as nothing default in Splunk seems to handle syslog messages in this format), and let it develop the regex to parse out the rule name, which has values like NET_SCAN_IPV4, ROUTER_IPV4_DENY, etc. There are IPV6 versions, too, just not active yet. I test, and then go to save the regex, and I get this error thrown at me:

500 Internal Server Error
TypeError: object of type 'NoneType' has no len()

This page was linked to from http://foobar:8000/en-US/ifx?sid=1324913742.32&offset=0&namespace=search.

You are using foobar:8000, which is connected to splunkd @113966 at https://127.0.0.1:8089 on Mon Dec 26 11:03:46 2011.

Is this a bug in the current version of Splunk? I believe it is 4.2.5, downloaded yesterday (12/25/2011).

Tags (1)
1 Solution

Genti
Splunk Employee
Splunk Employee

Yeah, that's broken in 4.2.5 (just reproed)

I'll file a bug if one has not been filed yet.

Edit: already fixed in 4.3 bug to reference: SPL-46679

View solution in original post

Genti
Splunk Employee
Splunk Employee

Yeah, that's broken in 4.2.5 (just reproed)

I'll file a bug if one has not been filed yet.

Edit: already fixed in 4.3 bug to reference: SPL-46679

mikeely
Path Finder

Genti, thanks - when I looked there were my custom fields!

0 Karma

Genti
Splunk Employee
Splunk Employee

4.3 will come out soon. not sure of the release date though.
the fix might be back-ported, but there is nothing out yet. so you know, its just the IFX, and actually the error does not mean that the field extraction did not get saved. At least in my case, when i tried to do it again, it told me that one existed already, and lo and behold, the field got extracted... so, it gives an error when you save it in the UI, but the config change is also made. So you should be OK. Its kind of purely visual - at least for me

mikeely
Path Finder

Any chance we can see a backport for this fix? I just smacked into it myself.

0 Karma

kumba
Explorer

Forgot to ask, where can we get 4.3? Or when is it set to be released? Is there a hotfix by chance?

0 Karma

kumba
Explorer

Sounds good, thanks!

0 Karma

lguinn2
Legend

Yes, that is an unhelpful error message. Can you show the regex?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...