Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot search for value in extracted field

jrfrost
Explorer
‎11-16-2017 06:52 AM

I have a field extraction that gets the message number from the raw message string

.{22}\s0-9

The message string is in the format of

2017-11-15T13:32:53,915 4790018 299939553102122275000175000000000022 6834527000103_0_007500002610100_100850055_00045010000010000_1___________________

The field is available and has values of 01, 02, 09, 11, 12, 19, 51, 52, 79, 90, 91 etc. but I cannot search for all values.

If I search for message number 51 I get results
index=main msg_number=51

If I search for message number 52 no results are returned.
index=main msg_number=52

If I use the following search index=main | eval msg_number=msg_number*1 |search msg_number=52, I get results

I have no idea why search for some numbers does not work.

Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎11-16-2017 10:13 AM

@jrfrost My thoughts are that the value you are searching for in "msg_number" is not a separate token in the raw event text but part of a token string in the raw message string from which it is extracted. Events are tokenized based on rules from segmenters.conf, and the value (msg_number) is probably not its own token but just part of a token. Try setting the INDEXED_VALUE in fields.conf on the SH to account for the field-extraction settings.

drop this exact configuration onto your search heads to fix the issue:
$SPLUNK_HOME/etc/system/local/fields.conf
[msg_number]
INDEXED_VALUE=*<VALUE>*

restart splunk

The lispy search will then look something like *msg_number*

Its likely that the events being returned when you search msg_number=51 is a false positive and contain some other tokens in the raw event text containing 51.

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎11-16-2017 10:13 AM

@jrfrost My thoughts are that the value you are searching for in "msg_number" is not a separate token in the raw event text but part of a token string in the raw message string from which it is extracted. Events are tokenized based on rules from segmenters.conf, and the value (msg_number) is probably not its own token but just part of a token. Try setting the INDEXED_VALUE in fields.conf on the SH to account for the field-extraction settings.

drop this exact configuration onto your search heads to fix the issue:
$SPLUNK_HOME/etc/system/local/fields.conf
[msg_number]
INDEXED_VALUE=*<VALUE>*

restart splunk

The lispy search will then look something like *msg_number*

Its likely that the events being returned when you search msg_number=51 is a false positive and contain some other tokens in the raw event text containing 51.

Reply
Solved! Jump to solution

jrfrost
Explorer
‎11-17-2017 01:00 AM

Thanks for this, you were right the 51 was a false positive.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-16-2017 09:11 AM

Hi @jrfrost,

can you please try this search?

| index=main
| rex max_match=0 field=_raw ".{22}\s[0-9](?<msg_number>\d{2})" 
| search msg_number=YOUR_NUMBER

You can Set up your transforms.conf and props.conf files to configure multivalue extraction.

In transforms.conf, add the following.

[mv-type]
REGEX = .{22}\s[0-9](?<msg_number>\d{2})
MV_ADD = true

In props.conf for your sourcetype or source, set the following.

REPORT-type = mv-type

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...