Knowledge Management

Will it extract any custom field during search head or not?

sindhi
Loves-to-Learn Lots

Hi All,

My query is if we put indexed_time=json in props.conf at HF where we are ingesting events via HEC input. And put KV_mode=none in props.conf on SH. Will it extract any custom field during SH or not?

Thanks in Advance

Labels (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Yes. You'd either set INDEXED_EXTRACTION =JSON (assuming this what you were referring to) on originating Splunk instance (UF OR HF where data is collected) OR setup KV_MODE = json on Search Head to extract JSON fields. 

The first method will create indexed time field extraction (takes more space but has other benefit such as faster searching, use of tstats etc) while 2nd method creates search time field extraction.

0 Karma

sindhi
Loves-to-Learn Lots

Thanks Guys, yes that is typo I am talking about indexed_extraction=json. @somesoni2 @PickleRick @@I am deali with _time field extraction issue. Currently I am ingesting microsoft defender logs on HEC input via event hub. And I am collecting them at /collector/event HEC endpoint. I am using splunkbase TA but it seems like events are not extracting _time as per TA it is taking from event hub. Not sure how to force splunk to use TA regex for timestamp. Splunk support suggest to put indexed_extraticon=json on HF but as you mentioned then it will impact my custom field extraction which I did on SH. Please advise.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

If you're sending to the event collector without the ?auto_extract_timestamp=true parameter, splunk skips parsing time completely. You have to explicitly provide time field with the event.

0 Karma

sindhi
Loves-to-Learn Lots

Many Thanks @PickleRick @ Can you please share any doco to tell me how can I explicitly provide timestamp and where can I see whether we set auto_extract_timestamp=true or not.

Other thing is event hub is adding his time stamp in the event as well we are getting 2 time field one with time (added by event hub) and other with name timestamp(correct time stamp with event). Thanks 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

https://docs.splunk.com/Documentation/Splunk/8.2.6/Data/FormateventsforHTTPEventCollector#Event_meta...

The auto_extract_timestamp is an option you have to provide explicitly. So if you're sending to https://your.server:8088/services/collector/event (without the ?auto... part in the) you don't have it set. Question is if you're sending to the /event endpoint or the /raw one.

0 Karma

sindhi
Loves-to-Learn Lots

yes we are getting /services/collector/event endpoint and I think this is happening (please see screenshot) in our case as eventhub is putting time field in the event envelop and Splunk is extracting it. It is not extracting the time coming in the events

sindhi_0-1653287810891.png

 

Tags (1)
0 Karma

PickleRick
SplunkTrust
SplunkTrust

Exactly. If the time field is explicitly defined with the event (not _in_ the event, but with the event), it's used and the time is not parsed at all from the event itself.

I use it quite a lot myself when pushing syslog events via HEC.

0 Karma

sindhi
Loves-to-Learn Lots

@PickleRick So in this case we can extract the time from the event by using indexed_extraction=json with TimePrefix and TimeFormat at HF right?

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No. If the event metadata already contains a field called "time", the time extraction will not be performed after receiving the event from HEC even if you're using the auto_extract_timestamp option.

So if you have the opportunity, make sure that the "time" field in the event's "envelope" is set to a proper value.

Other than that you could try to do some explicit index-time extractions and ingest-time evals to overwrite the initial _time field but that's a very ugly solution. And it has nothing to do with splunk's internal time extraction.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

But you have to remember that _time field must be set for an event (either provided explicitly with the event (when ingested from HEC input), extracted from the event at index time or - if extraction is not possible - set to the moment of ingestion). And _time field is always indexed.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

There is no option called INDEXED_TIME in props.conf 🙂 I think you meant INDEXED_EXTRACTIONS. And you don't need to set it to anything since by default it's not set.

If you set KV_MODE to none, splunk will not perform any automatic KV extractions. It's explicitly stated in the docs:

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.
* Set KV_MODE to one of the following:
  * none: if you want no field/value extraction to take place.
  * auto: extracts field/value pairs separated by equal signs.
  * auto_escaped: extracts fields/value pairs separated by equal signs and
                  honors \" and \\ as escaped sequences within quoted
                  values, e.g field="value with \"nested\" quotes"
  * multi: invokes the multikv search command to expand a tabular event into
           multiple events.
  * xml : automatically extracts fields from XML data.
  * json: automatically extracts fields from JSON data.
* Setting to 'none' can ensure that one or more user-created regexes are not
  overridden by automatic field/value extraction for a particular host,
  source, or source type, and also increases search performance.
* The 'xml' and 'json' modes do not extract any fields when used on data
  that isn't of the correct format (JSON or XML).
* Default: auto
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...