Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Does full key value not extract properly if it starts with a number?

msmapper
Path Finder
‎06-27-2018 09:48 AM

I have created a new log message that looks like

2018-06-27 11:28:01,743 WARN TestReporting , id="LJ99YUT5F1K", trans_timestamp="6/27/18 3:42 AM", 3d_secure_data="", arn="", purchase_amount="57.80", currency="USD"

All of my Key-value pairs do auto-extract but the one named 3d_secure_data does not seem to extract the full name. When you look at the Interesting Fields, the key is actually named d_secure_data, the 3 is being dropped off somehow. See screenshot

alt text

Is this a known key naming convention where keys can only start with alpha char or is this an issue with auto-extraction? I am using Splunk Enterprise 6.6.3.

I can work around the issue by remaining the key and spelling out the word three, Ijust want to know if this a known configuration setup or a bug.

Regards
Jen

Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎06-27-2018 10:01 AM

The documentation says -

Getting Data In

alt text

View solution in original post

Preview file
40 KB
0 Karma
Reply
Solved! Jump to solution
Solution

ddrillic
Ultra Champion
‎06-27-2018 10:01 AM

The documentation says -

Getting Data In

alt text

Preview file
40 KB
0 Karma
Reply
Solved! Jump to solution

msmapper
Path Finder
‎06-27-2018 10:04 AM

Thanks ddrillic! Not sure how I missed that in the documentation after all these years.

0 Karma
Reply
Solved! Jump to solution

ddrillic
Ultra Champion
‎06-27-2018 10:06 AM

Sure thing - I wasn't sure either ; -)

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...