Getting Data In

TCP vs Splunk cmd

Vladimir
Path Finder

Hi all!

I'm a little bit upset with next problem...

If I run some script within splunk (powershell, python, etc) and put something to standard output, the event will be in splunk index and I can do normal search. For example:

Output Message: Metric=MyMetric,Value=MyValue

Search query in splunk: Metric=MyMetric

In this case I can search my event but...

if I send the same event within TCP, the search query can't find anything. It can but only if I use "Metric=MyMetric" (in quotes)

Does anybody know why? And what should I do in this case? Should I send my event in some special format?

Thanks

Tags (2)
0 Karma
1 Solution

ziegfried
Influencer

That's probably because the data over TCP gets a different sourcetype with different extraction settings (props.conf). Seems like auto-key-value pair extraction is disabled for the particular sourcetype (KV_MODE=none or similar).

View solution in original post

ziegfried
Influencer

That's probably because the data over TCP gets a different sourcetype with different extraction settings (props.conf). Seems like auto-key-value pair extraction is disabled for the particular sourcetype (KV_MODE=none or similar).

Vladimir
Path Finder

Thanks! It's alive! 🙂

0 Karma

Vladimir
Path Finder

I even can't calculate any numeric values (stats sum/avg/mix/max/etc).
Splunk 4.2.2
Splunk Universal Forwarder 4.2.1 (input for tcp)

0 Karma
Get Updates on the Splunk Community!

Index This | Divide 100 by half. What do you get?

November 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...