Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What could cause our "punct" field to go missing?

sergeye
New Member
‎12-03-2018 05:03 AM

Hello,

I just realized that the "punct" field is missing in our Splunk QA environment but only in IIS logs.

I didn't use this field before, so unfortunately, I don't know when the issue started.

But the only difference I can see is Splunk version:
in 7.0.6 it exists and in 7.2.3 it's not.

Can somebody explain what can I check there?

thanks in advance.

0 Karma
Reply

gpullis
Communicator
‎03-20-2019 03:29 PM

Check out the FIELDALIAS commands in ./Splunk_TA_microsoft-iis/default/props.conf. Depending on what you're logging out of IIS, they can jack up your field extractions. Usually it disappears your host field, but I wouldn't put it past them to mess up the punct field too.

See also: https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html

0 Karma
Reply

ddrillic
Ultra Champion
‎12-04-2018 10:53 AM

@sergeye - do you really need this punct field? because the current Splunk classes emphasize that its creation is expensive and that you should avoid creating it if not needed...

0 Karma
Reply

sergeye
New Member
‎12-04-2018 10:57 AM

Hi,

unfortunately I have some very complicated query based on this field, which is a basis for another complicated query etc... so I really need that.

0 Karma
Reply

ddrillic
Ultra Champion
‎12-04-2018 11:00 AM

Oh, then it makes perfect sense.

0 Karma
Reply

maraman_splunk
Splunk Employee
Splunk Employee
‎12-03-2018 07:34 AM

Hi,

check that you don't have ANNOTATE_PUNCT=false under the iis_log sourcetype in props.conf
(see https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf )
you can check from command line with a command such as 

splunk btool props list iis_log --debug |grep -i annotate_punct

(replace iis_log by your sourcetype as necessary)

BTW, you probably mean 7.1.3 as 7.2.3 doesn't exist yet.

0 Karma
Reply

sergeye
New Member
‎12-03-2018 07:52 AM

Hi,
Sorry for a mistake.
My new Splunk version is 7.2.1.

I checked the annotate_punct on both Splunk itself and UF servers and it's in each place "True".
So probably that's not my issue...

0 Karma
Reply

MuS
SplunkTrust
SplunkTrust
‎12-03-2018 03:47 PM

Did you check the search mode you are using? See the docs on searches modes http://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode

You might be in fast mode?

cheers, MuS

0 Karma
Reply

sergeye
New Member
‎12-04-2018 12:45 AM

Hi MuS, thanks for your input.
I run the search in Verbose mode.

I guess there is some issue with my sourcetype (iisadv) but I'm unable to understand what exactly...

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...

SOC4Kafka - New Kafka Connector Powered by OpenTelemetry

The new SOC4Kafka connector, built on OpenTelemetry, enables the collection of Kafka messages and forwards ...