Getting Data In

Transforms index time field extraction producing unexpected results.

alcchang
Engager

The field extraction works for nearly all events, except for events where the line count is over 450. The returned value of the extraction for such events are about 27 lines long or 2500+ characters long. The field extractions ends with the following pattern (regex for security): \w+?\s|\s\d{9} and the pattern that follows the extracted field is =(\w+?.){5}\w+. I am aware that I should probably do this extraction and search time, but I have been overruled on that matter.

Here are some relevant configurations:

PROPS:

BREAK_ONLY_BEFORE = \d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3} \[
ADD_EXTRA_TIME_FIELDS = True
ANNOTATE_PUNCT = true
AUTO_KV_JSON = true
BREAK_ONLY_BEFORE_DATE = true
DEPTH_LIMIT = 1000
FIELD_HEADER_REGEX = \[*
LEARN_MODEL = true
LEARN_SOURCETYPE = true
LINE_BREAKER_LOOKBEHIND = 100
MATCH_LIMIT = 100000
MAX_DAYS_AGO = 2000
MAX_DAYS_HENCE = 2
MAX_DIFF_SECS_AGO = 3600
MAX_DIFF_SECS_HENCE = 604800
MAX_EVENTS = 500
MAX_TIMESTAMP_LOOKAHEAD = 128
NO_BINARY_CHECK = true
SEGMENTATION = indexing
SEGMENTATION-all = full
SEGMENTATION-inner = inner
SEGMENTATION-outer = outer
SEGMENTATION-raw = none
SEGMENTATION-standard = standard
SHOULD_LINEMERGE = true
TRANSFORMS-sesh_vars = sesh_vars
### VARIOUS TRANSFORMS FIELD EXTRACTIONS HERE
TRUNCATE = 50000
detect_trailing_nulls = false
disabled = false
maxDist = 100
category = Custom

TRANSFORMS:

[sesh_vars]
REGEX = (?m)Session\s+(?<sesh_vars>(.+\s*)+?)(?=Additional|$)
WRITE_META = true
0 Karma
Get Updates on the Splunk Community!

Exciting News: The AppDynamics Community Joins Splunk!

Hello Splunkers,   I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...

The All New Performance Insights for Splunk

Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...

Good Sourcetype Naming

When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...