- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Field extraction not working on distributed search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Field extraction not working on distributed search
I am trying to create a field extraction using the manger to extract the equivalent of:
sourcetype=jsonLogs | rex field=message "^'(?<s>[^']*)' request received"
which extracts requesttype properly (as s - Markdown is removing anything between <> with more than one character). Manager creates the following (ignoring the naming difference between transactiontype and requesttype):
props.conf:
[jsonLogs]
REPORT-requesttype = requesttype
transforms.conf:
[requesttype]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = ^'(?<transactiontype>[^']*)' request received
SOURCE_KEY = message
however the requesttype field is never extracted and does not show up in the available fields dialog with the following search:
sourcetype=jsonLogs
Including the field in the search does not return any results:
sourcetype=jsonLogs requesttype=*
The files are in the search app on the search server, and do not exist on the indexer, which looks to be correct from the documentation at http://docs.splunk.com/Documentation/Splunk/latest/Deploy/Whatisdistributedsearch. The field extraction only occurs on a limited number of results (~65 of 22,000) in the initial search. I can't figure out what I am doing wrong here after working on this for several hours. Is there anything I should be looking at?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have updated the transforms.prop file, based on Ayn's comments below to:
[requesttype]
CLEAN_KEYS = 1
MV_ADD = 0
REGEX = ^'([^']*)' request received
SOURCE_KEY = message
FORMAT = requesttype::$1
The field still is not being extracted.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In your configuration requesttype is not the name of a field. It is the name of a transform stanza to be applied to data with the jsonLogs sourcetype. The name of the field is what you specify between the angle brackets in your regex statement (in your case that is transactiontype).
As you have correctly noted, this configuration should be placed on the Search Head.
Hope this helps,
Kristian
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Missed the transactiontype extract, although that field was also not being extracted (I renamed the field halfway though this thinking transactiontype may be reserved). I have updated as follows based on Ayn's comments:
REGEX = ^'([^']*)' request received
FORMAT = requesttype::$1
The field is still not being extracted with the above search.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Moreover, the (?<fieldname>...) format is only for EXTRACT statements, not extractions in transforms.conf. In transforms.conf, you create your matching group without giving it a name - this is done separately in the FORMAT definition. Like this:
REGEX = ^'([^']*)' request received
FORMAT = transactiontype::$1
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
