Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Cannot search for value in extracted field

jrfrost
Explorer
‎11-16-2017 06:52 AM

I have a field extraction that gets the message number from the raw message string

.{22}\s0-9

The message string is in the format of

2017-11-15T13:32:53,915 4790018 299939553102122275000175000000000022 6834527000103_0_007500002610100_100850055_00045010000010000_1___________________

The field is available and has values of 01, 02, 09, 11, 12, 19, 51, 52, 79, 90, 91 etc. but I cannot search for all values.

If I search for message number 51 I get results
index=main msg_number=51

If I search for message number 52 no results are returned.
index=main msg_number=52

If I use the following search index=main | eval msg_number=msg_number*1 |search msg_number=52, I get results

I have no idea why search for some numbers does not work.

Reply
1 Solution
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎11-16-2017 10:13 AM

@jrfrost My thoughts are that the value you are searching for in "msg_number" is not a separate token in the raw event text but part of a token string in the raw message string from which it is extracted. Events are tokenized based on rules from segmenters.conf, and the value (msg_number) is probably not its own token but just part of a token. Try setting the INDEXED_VALUE in fields.conf on the SH to account for the field-extraction settings.

drop this exact configuration onto your search heads to fix the issue:
$SPLUNK_HOME/etc/system/local/fields.conf
[msg_number]
INDEXED_VALUE=*<VALUE>*

restart splunk

The lispy search will then look something like *msg_number*

Its likely that the events being returned when you search msg_number=51 is a false positive and contain some other tokens in the raw event text containing 51.

View solution in original post

Reply
Solved! Jump to solution
Solution

rphillips_splk
Splunk Employee
Splunk Employee
‎11-16-2017 10:13 AM

@jrfrost My thoughts are that the value you are searching for in "msg_number" is not a separate token in the raw event text but part of a token string in the raw message string from which it is extracted. Events are tokenized based on rules from segmenters.conf, and the value (msg_number) is probably not its own token but just part of a token. Try setting the INDEXED_VALUE in fields.conf on the SH to account for the field-extraction settings.

drop this exact configuration onto your search heads to fix the issue:
$SPLUNK_HOME/etc/system/local/fields.conf
[msg_number]
INDEXED_VALUE=*<VALUE>*

restart splunk

The lispy search will then look something like *msg_number*

Its likely that the events being returned when you search msg_number=51 is a false positive and contain some other tokens in the raw event text containing 51.

Reply
Solved! Jump to solution

jrfrost
Explorer
‎11-17-2017 01:00 AM

Thanks for this, you were right the 51 was a false positive.

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎11-16-2017 09:11 AM

Hi @jrfrost,

can you please try this search?

| index=main
| rex max_match=0 field=_raw ".{22}\s[0-9](?<msg_number>\d{2})" 
| search msg_number=YOUR_NUMBER

You can Set up your transforms.conf and props.conf files to configure multivalue extraction.

In transforms.conf, add the following.

[mv-type]
REGEX = .{22}\s[0-9](?<msg_number>\d{2})
MV_ADD = true

In props.conf for your sourcetype or source, set the following.

REPORT-type = mv-type

Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...