Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

When displaying the datamodel in search results, auto-extracted fields are not extracted properly for some events?

Shubhanker99
Engager
‎04-26-2022 08:04 PM

Hello Splunk Community,

I am facing this issue and was hoping if anyone could help me:

In the Splunk datamodel, for the auto-extracted fields, there are some events whose fields are not being extracted. Majority of the events have their fields extracted but there are some 10-15 events whose fields are not being extracted properly.

Any suggestions/ideas as to what is causing this discrepancy?

Thanks!

Labels (2)
Labels
0 Karma
Reply

Cvlcceo
Loves-to-Learn Lots
‎01-03-2023 09:12 AM
  • How do I fix unknown values in a data model search?
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎01-04-2023 01:51 AM

@Cvlcceo - It's a field extraction issue and not a data-model issue. Kindly please fix the issue with field extraction or data.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-26-2022 10:32 PM

@Shubhanker99 - It's possible as data-model solely relies on the events and their extraction.

For example, if I'm having data in which IPs are present and I'm extracting the field src_ip, but then I have some events where IP is not present then src_ip field will not be present in the data-model as well.

What you should do:

  • Check whether your 10-15 events that are missing those fields can extract those fields or not. (You can use your data-models base search to find out those events.)
    • If it can, then fix the field extraction so they also extract the field.
    • If not, then you can make it a calculated field in the data-model and write eval that looks something like this.
      • if(isnull(action), "unknown", action)
      • Here in this example for any event which does not extract the action field, you will be replacing the value with "unknown".

 

I hope this helps!!!

0 Karma
Reply

Shubhanker99
Engager
‎04-26-2022 11:28 PM

@VatsalJagani thanks for the comment. The 10-15 events whose fields are not being extracted properly also have those said fields. Right now I am using eval expressions to extract the important fields which are not being extracted but I wanted to know the root cause of why those fields are not being extracted, just to know in what cases the fields might not be extracted and prepare other plans for those cases.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎04-26-2022 11:45 PM

@Shubhanker99 - There could be hundreds of reasons why a field is not being extracted. But it depends on mainly two things that you need to check:

  • What extractions configuration do you have (in props.conf & transforms.conf)
  • What are the events for which it is working and what are the events for which it is not working

By looking at these two, you should be able to identify what is wrong with the extraction configuration.

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...