Solved: Field Extraction from scheduled-search

hjwang · ‎03-27-2012

Dear all

There is something strange that i can see the correct results of field extraction from manually search but when it sent to scheduled-search, the completed result i saw in search job is not all fields can be shown out even if i select all the fields. The raw data is like field1=value1 field2=value2 ... , and when i add | fields * at the end, it just only displayed.

And when I trigger it to script alert, I can use python script to extract the some fields i want but others can't.

for row in csv.DictReader(openany(results_file)):
    sms(row["msg"])

if i change field "msg" to "_time" or "user", it can be executed correctly, but when set to field "msg" or "_raw", it can't (here the msg is the string strcat from other fields ). so i wanna know where are the search results stored?? ($SPLUNK_HOME/var/run/splunk/dispatch) ?? i wanna check the fields whether splunk extracted correctly and does anyone have good suggestion to debug this?

hjwang · ‎03-27-2012

i think i caught this bug due to python's shell call which will miss some fields from search result

View solution in original post

hjwang · ‎03-27-2012

i think i caught this bug due to python's shell call which will miss some fields from search result

Field Extraction from scheduled-search

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!