Getting Data In

TCP vs Splunk cmd

Vladimir
Path Finder

Hi all!

I'm a little bit upset with next problem...

If I run some script within splunk (powershell, python, etc) and put something to standard output, the event will be in splunk index and I can do normal search. For example:

Output Message: Metric=MyMetric,Value=MyValue

Search query in splunk: Metric=MyMetric

In this case I can search my event but...

if I send the same event within TCP, the search query can't find anything. It can but only if I use "Metric=MyMetric" (in quotes)

Does anybody know why? And what should I do in this case? Should I send my event in some special format?

Thanks

Tags (2)
0 Karma
1 Solution

ziegfried
Influencer

That's probably because the data over TCP gets a different sourcetype with different extraction settings (props.conf). Seems like auto-key-value pair extraction is disabled for the particular sourcetype (KV_MODE=none or similar).

View solution in original post

ziegfried
Influencer

That's probably because the data over TCP gets a different sourcetype with different extraction settings (props.conf). Seems like auto-key-value pair extraction is disabled for the particular sourcetype (KV_MODE=none or similar).

Vladimir
Path Finder

Thanks! It's alive! 🙂

0 Karma

Vladimir
Path Finder

I even can't calculate any numeric values (stats sum/avg/mix/max/etc).
Splunk 4.2.2
Splunk Universal Forwarder 4.2.1 (input for tcp)

0 Karma
Get Updates on the Splunk Community!

Video | Welcome Back to Smartness, Pedro

Remember Splunk Community member, Pedro Borges? If you tuned into Episode 2 of our Smartness interview series, ...

Detector Best Practices: Static Thresholds

Introduction In observability monitoring, static thresholds are used to monitor fixed, known values within ...

Expert Tips from Splunk Education, Observability in Action, Plus More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...