Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Field extraction failing

grantccarlson
New Member
‎04-23-2019 10:48 AM

Hello,

I have input data that has a field named "tag" and Splunk is not extracting this field correctly. Any suggestions are appreciated!
alt text

Tags (1)
Preview file
208 KB
0 Karma
Reply

vik_splunk
Communicator
‎04-24-2019 12:52 AM

You are likely going to run into an issue of having a "reserved" field name like tag, eventtype etc. where the extracted field tag is possibly going to be confused with Splunk tags. The suggestion would be to rename field at the source csv or have an explicit field extraction to help you.

This might help : https://answers.splunk.com/answers/659101/is-there-a-list-of-unusable-field-names.html

0 Karma
Reply

woodcock
Esteemed Legend
‎04-23-2019 06:27 PM

I suggest you update your post with WAAAAAAAAAAAAAAAAAAAAAY more detail.

0 Karma
Reply

grantccarlson
New Member
‎04-23-2019 07:38 PM

What sort of detail do you need?

0 Karma
Reply

woodcock
Esteemed Legend
‎04-23-2019 11:45 PM

A complete do-over. What is your search SPL? What is your expected output? If your data has a field named "tag", then why do I not see any evidence of this (I guess this is what you are saying is the problem)? What is the field extraction (from props.conf) that is supposed to create this field? Where in one of your sample raw events is the portion of the event that makes up the value for its tag field.

0 Karma
Reply

somesoni2
Revered Legend
‎04-23-2019 11:42 AM

Which column of your csv data is field tag?? Could you share your configuration for field extraction (or sourcetype parsing)?

0 Karma
Reply

grantccarlson
New Member
‎04-23-2019 12:04 PM

The "tag" field is the last field in the data.

Time,src_user,recipient,subject,file_name,tag
4/1/19 10:00,Ty,George,Memo,Virus,email
4/2/19 10:00,George,James,Please see!, ,email
4/3/19 10:00,Mark,Josephine Daakjy,Memo,Memo,email

Here are the first 3 rows of the data. I have removed last names to make the data anonymous.

0 Karma
Reply

somesoni2
Revered Legend
‎04-23-2019 12:36 PM

What's the sourcetype that you've assigned to this sourcetype? Have you configured anything for the CSV field extraction?

0 Karma
Reply

grantccarlson
New Member
‎04-23-2019 12:53 PM

The source type is CSV. I did go through the field extractions -> delimiter to try to rename and extract all the fields. So far I am not having any luck with that process either.

0 Karma
Reply

grantccarlson
New Member
‎04-23-2019 01:41 PM

I also tried to extract the fields via the "+Extract New Fields" option at the bottom on the fields list in the UI, but this also does not work.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...