Splunk Enterprise

How to use regex to view data?

robertlynch2020
Influencer

HI

I have data that i can't access unless I use regex

robertlynch2020_0-1652802633467.png

 

but when I run the command that Splunk gives me I get the empty return.

 

robertlynch2020_1-1652802675556.png

I can use this SPL, but the performance is not good. How do I get the attribute to work for this, so I can get the performance gains.

Is it the only way I can see the data? what can i do as  the performance is very bad.

robertlynch2020_2-1652802774594.png

 

Labels (1)
Tags (2)
0 Karma

somesoni2
Revered Legend

How is the field "log.type" extracted (is in raw data OR calculated OR lookup etc)? Does this work?

 

index="murex_logs" log.type=http

 

0 Karma

robertlynch2020
Influencer

Hi

 

This is the raw data. Its coming in via HEC.

log.type=http does not work.

However the strange this is one one environment 8.1

log.type="http" does work and 8.2.5  doesn't. However regex always works. So I looking for a way that is reliable. Its very strange.

0 Karma

robertlynch2020
Influencer

I think its a bug in Splunk as when i downgraded to 8.1 it works

 

robertlynch2020_0-1652809871109.png

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Are you sure you're not doing something fancy with the fields? The warning suggests you're extracting a huge number of fields. That might be affecting the processing of your search.

0 Karma

robertlynch2020
Influencer

Hi

THis error was not happeing in 8.2.5 only in 8.1.

I needed to add the prop in limits.conf to get rid of it.

[kv]
# Maximum number of key-value pairs that can be extracted at index time.
# Set this value to 0 to not impose any limit on indexed kv limit.
indexed_kv_limit = 0

I don't know why i was getting it as i don't see over 100 fields in the data.

 

robertlynch2020_0-1652877529123.png

 

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried single quotes instead of doubles?  Single quotes tell Splunk to treat the quoted string as a field name.

index="murex_logs" 'log.type'=http
---
If this reply helps you, Karma would be appreciated.
0 Karma

robertlynch2020
Influencer

Hi 

This did not work in 8.2.5 - thanks for you help

Rob

0 Karma

richgalloway
SplunkTrust
SplunkTrust

OK.  That was a long-shot.  Here are a couple other ideas.

Filter using where instead of in the base query.   Yes, this is less efficient, but it might work.

index="murex_logs"
| where 'log.type'="http"

Rename the field.

index="murex_logs" 
| rename log.type as log_type
| where log_type="http"
---
If this reply helps you, Karma would be appreciated.
0 Karma

robertlynch2020
Influencer

hi

So this will only work if I put a table command into it, but i think the table command will slow it down.

robertlynch2020_0-1652863746075.png

As you can see this does not work.

robertlynch2020_1-1652866670228.png

 

Do you think it's a bug in Splunk or because i am getting in HEC OT data?

robertlynch2020_2-1652866727794.png

 

 

0 Karma

robertlynch2020
Influencer

Also to add adding the table command slowed the search down big time from 137 seconds to 61 seconds.

So i can't use the table command to fix this

The first screenshot is from 8.2.5

robertlynch2020_0-1652876561910.png

The second screenshot is from 8.1 

robertlynch2020_1-1652877256851.png

do you think i should make a bug to Spunk or do you have a few more ideas, also thanks again for all the efforts 🙂 

 

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...