- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: What could cause our "punct" field to go missi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What could cause our "punct" field to go missing?
Hello,
I just realized that the "punct" field is missing in our Splunk QA environment but only in IIS logs.
I didn't use this field before, so unfortunately, I don't know when the issue started.
But the only difference I can see is Splunk version:
in 7.0.6 it exists and in 7.2.3 it's not.
Can somebody explain what can I check there?
thanks in advance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check out the FIELDALIAS commands in ./Splunk_TA_microsoft-iis/default/props.conf. Depending on what you're logging out of IIS, they can jack up your field extractions. Usually it disappears your host field, but I wouldn't put it past them to mess up the punct field too.
See also: https://answers.splunk.com/answers/693737/splunk-720-field-aliases-incorrect-behavior.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@sergeye - do you really need this punct field? because the current Splunk classes emphasize that its creation is expensive and that you should avoid creating it if not needed...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
unfortunately I have some very complicated query based on this field, which is a basis for another complicated query etc... so I really need that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oh, then it makes perfect sense.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
check that you don't have ANNOTATE_PUNCT=false under the iis_log sourcetype in props.conf
(see https://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf )
you can check from command line with a command such as
splunk btool props list iis_log --debug |grep -i annotate_punct
(replace iis_log by your sourcetype as necessary)
BTW, you probably mean 7.1.3 as 7.2.3 doesn't exist yet.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Sorry for a mistake.
My new Splunk version is 7.2.1.
I checked the annotate_punct on both Splunk itself and UF servers and it's in each place "True".
So probably that's not my issue...
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you check the search mode you are using? See the docs on searches modes http://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode
You might be in fast mode?
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi MuS, thanks for your input.
I run the search in Verbose mode.
I guess there is some issue with my sourcetype (iisadv) but I'm unable to understand what exactly...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
