Hi, I am using 4.3.3 at the moment for this test. I understand this is a retired version, but have no choice since it is the version being used in our office; and the admin are still in process of upgrading.
I made some changes to my props.conf including:
REPORT-delim = delim_bam
TRANSFORMS-bat...
FIELDALIAS-foo...
EXTRACT-bar = "some regex" in fieldx
EVAL-foobar...
the issue I am having is with the EXTRACT; even after restarting the search-head (this is where I'm currently testing my app) - I need to type | extract reload=true
every single time or else the extract doesn't work. Anyone else encountered this issue?
The extracted values are used to perform additional logic, so their existence is paramount. Which leads me to consider: should I include that |extract reload=true
in all my savedsearches also?
Here is what my transforms.conf looks like:
[delim_bam]
DELIMS = "!"
FIELDS = "field1","field2","field3","fieldx"
You should pretty much never need to run extract reload=true
, nor restart Splunk for any changes to search-time settings like field extractions. What extract reload=true
does is it runs the whole field extraction process a second time, so if you have fields that are not created the first round but work after the second, that is an indicator of that conditions that weren't met in order to extract the fields the first time are now met during the second. I'd put my money on that the field extraction(s) you're seeing problems with are ones that use another field as their source, and when you try to extract them the first time this field does not yet exist. In order to make this work you need to make sure that your field extractions run in the correct order.
Well it's the same thing that I said in the answer you link to as what I've said in my answer below 🙂 Like I said, if you have field extractions that take other field values as their input, you better make sure those fields exist at the time when the field extraction occurs.
Thanks Ayn for the response. But I guess I'll answer this question myself. The answer to this issue can be found here
You should pretty much never need to run extract reload=true
, nor restart Splunk for any changes to search-time settings like field extractions. What extract reload=true
does is it runs the whole field extraction process a second time, so if you have fields that are not created the first round but work after the second, that is an indicator of that conditions that weren't met in order to extract the fields the first time are now met during the second. I'd put my money on that the field extraction(s) you're seeing problems with are ones that use another field as their source, and when you try to extract them the first time this field does not yet exist. In order to make this work you need to make sure that your field extractions run in the correct order.
thanks for the response - I had a feeling it was something along this line... when I restart the server, I get a bunch of warning message "possible typo in ..config line 15.. etc.. EVAL-blahblah" - i guess it is possibly an issue with 4.3.3 version; however the EVAL fields work correctly, and without extract-reload. In contrast, the real issue is with field extract (EXTRACT), but there weren't any warning messages during server restart.
i'm not using another field as their source, but I am extracting their src manually using REPORT-foo, and the DELIMS and FIELDS properties in transforms.conf