Solved: Does full key value not extract properly if it sta...

msmapper · ‎06-27-2018

I have created a new log message that looks like

2018-06-27 11:28:01,743 WARN TestReporting , id="LJ99YUT5F1K", trans_timestamp="6/27/18 3:42 AM", 3d_secure_data="", arn="", purchase_amount="57.80", currency="USD"

All of my Key-value pairs do auto-extract but the one named 3d_secure_data does not seem to extract the full name. When you look at the Interesting Fields, the key is actually named d_secure_data, the 3 is being dropped off somehow. See screenshot

Is this a known key naming convention where keys can only start with alpha char or is this an issue with auto-extraction? I am using Splunk Enterprise 6.6.3.

I can work around the issue by remaining the key and spelling out the word three, Ijust want to know if this a known configuration setup or a bug.

Regards
Jen

ddrillic · ‎06-27-2018

The documentation says -

Getting Data In

View solution in original post

ddrillic · ‎06-27-2018

The documentation says -

Getting Data In

msmapper · ‎06-27-2018

Thanks ddrillic! Not sure how I missed that in the documentation after all these years.

ddrillic · ‎06-27-2018

Sure thing - I wasn't sure either ; -)

Does full key value not extract properly if it starts with a number?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio