Splunk Search

Field extractions for my app not showing up in search

DEAD_BEEF
Builder

I have a custom set of logs where I wrote out the regex to parse it. I then created a field extraction via the search head GUI and everything worked perfectly. I decided to delete the local SH field extractions and instead add the field extractions to the app I wrote (for portability) to ingest these logs and now none of the extractions are working when I ingested new data and searched. My app is installed on a HF where the logs are being monitored.

I copy+pasted the exact regex I was using from the GUI extractions and using search and nothing is parsed, no fields are displayed, punct is being calculated, and KV_MODE is being ignored... what am I doing wrong?

inputs.conf

[monitor:///mnt/data/monitor/foo/foo/bar.log]
index = main
sourcetype = custom:dns
queue = parsingQueue
disabled = 0

props.conf

[custom:dns]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^.*?\-\s
TIME_FORMAT = %s
TZ = GMT
ANNOTATE_PUNCT = false
KV_MODE = none
EXTRACT-custom_dns_fields = \d+\s\-\s\d+\s(?<timestamp>[^,]*),(?<src>[^,]*),(?<src_port>[^,]*),(?<query>[^,]*),IN,(?<query_type>[^,]*),(?<EDNS0>[^,]*),(?<EDNS0_size>[^,]*),(?<DNSSEC>[^,]*),(?<TCP>[^,]*),
TRANSFORMS-custom_dns_response = custom_dns_response

transforms.conf

[custom_dns_response]
REGEX = (\d+):([\.a-zA-Z0-9-]+)\s
FORMAT = response_code_id::$1 response_code::$2
CLEAN_KEYS = 0
MV_ADD = 1
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi DEAD_BEEF,

did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi DEAD_BEEF,

did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.

Hope this helps ...

cheers, MuS

DEAD_BEEF
Builder

My app is on my HF. Does it also need to be on the SH to access the search-time field extractions?

0 Karma

MuS
SplunkTrust
SplunkTrust

Another issue could be the search mode: if you run your search in fast mode field extraction will only work for any field provided in the base search.

Again see the docs https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode for more details on that topic.

cheers, MuS

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...