Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extraction does not take place in raw events

yuanliu
SplunkTrust
SplunkTrust
‎11-24-2025 10:47 PM

This happens in one of newly installed 10.0.1 instances.  The only data ingested is tutorialdata.zip from Splunk Tutorial.  The tutorial exercises on fields like action, productId, etc.  But this instance gives none of them.  After some long diagnosis, I found the culprit: The search command doesn't perform default key-value extraction in raw events.  Even if I force an extract command in search like this,

sourcetype=access_combined_wcookie
| extract kvdelim== pairdelim=&

those fields are still not extracted:

kv-on-raw 2025-11-24 at 9.24.07 PM.png

Only when I force the same pairdelim + kvdelim directly on url_query like this

sourcetype=access_combined_wcookie
| rename _raw as temp
| rename uri_query as _raw
| extract kvdelim== pairdelim=&

will this instance extract those fields:

kv-on-uri_query 2025-11-24 at 9.26.01 PM.png

How can I find the root cause?

Additional data points:

  • If I remove kvdelim== pairdelim=& from extract command, those fields can no longer be extracted even from url_query.
  • Automatic extraction with transform access-extraction (i.e.REPORT-access = access-extractionsworks just fine on sourcetype access_combined_wcookie. Otherwise fields like clientip and url_query will not be available.
  • I tested tutorialdata.zip in several other instances including a new 10.0 instance on Macbook.  No such problem exists.
Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-24-2025 11:42 PM

How have you ingested the data?

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎11-25-2025 10:02 PM

Using the exact sequence as detailed in Upload the tutorial data.  As mentioned, the same exercise was done in a few other instances including newly installed instances with no problem.  Today, I created another 10.0.1 instance on the same OS with nearly identical configurations, no such problem. 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-25-2025 10:13 PM

This is a strange one and given that it sems to work in every other environment, it sounds like there is nothing wrong with the process you used. Is it possible for you to compare you config files on a file by file basis between a working environment and non-working environment to determine what the significant difference might be?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0

    Are you ready to transform how your team handles complex data requests? We invite you to our upcoming ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...