Hi
I have a log like this
Mar 10 20:19:39 10.18.10.11 Mar 10 2016 20:18:07 HIPDR-M909-X8-CA %%01SHELL/5/CMDRECORD(s)[37105]:Recorded command information. (Task=VT1, Ip=10.2.11.10, VpnName=O_G, User=65w, AuthenticationMethod="Local-user", Command="ping -c 100 -vpn-instance DAT 1.23.30")
I have a Field extraction in search mode:
sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?<sig>\w+\/\d+\/\w+)\("
So if I want to search like this
sourcetype="huawei" | rex field=_raw "\%\%\d{2}(?<sig>\w+\/\d+\/\w+)\("| search sig="SHELL/5/CMDRECORD"
Works like charm
But if I save the extraction in Fields Extractions, all the permissions are global, we restart splunk several times and do the extract reload=true
So when I do the search:
sourcetype="huawei" sig="SHELL/5/CMDRECORD"
Shows 0 Results
Any Idea what could be happening?
Your extraction starts with a partial token, which requires an extra edit in fields.conf to work. See the docs: http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...
The reason why gets into how segmentation and searching work... in basic terms, at index time, Splunk breaks up your events into words based on punctuation and keeps track of what buckets of data have what words. It then converts your search into words that should appear if your search matches data. If not all words are present for a big bucket of data, that bucket could be tossed prior to Splunk extracting parts of words to see that your search actually does match. (without the fields config, which says essentially your field will not appear as indexed words)
I would guess that in your current configuration that this search might actually work without fixing fields.conf:
sourcetype="huawei" sig=* | search sig="SHELL/5/CMDRECORD"
Your extraction starts with a partial token, which requires an extra edit in fields.conf to work. See the docs: http://docs.splunk.com/Documentation/Splunk/6.3.3/Knowledge/Createandmaintainsearch-timefieldextract...
The reason why gets into how segmentation and searching work... in basic terms, at index time, Splunk breaks up your events into words based on punctuation and keeps track of what buckets of data have what words. It then converts your search into words that should appear if your search matches data. If not all words are present for a big bucket of data, that bucket could be tossed prior to Splunk extracting parts of words to see that your search actually does match. (without the fields config, which says essentially your field will not appear as indexed words)
I would guess that in your current configuration that this search might actually work without fixing fields.conf:
sourcetype="huawei" sig=* | search sig="SHELL/5/CMDRECORD"
Thanks
The creation in fields.conf the stanza
[sig]
INDEXED = False
INDEXED_VALUE = False
Solve the be behavior
And now work searches like:
sourcetype="huawei" sig=SNMP