- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Field extractions for my app not showing up in...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a custom set of logs where I wrote out the regex to parse it. I then created a field extraction via the search head GUI and everything worked perfectly. I decided to delete the local SH field extractions and instead add the field extractions to the app I wrote (for portability) to ingest these logs and now none of the extractions are working when I ingested new data and searched. My app is installed on a HF where the logs are being monitored.
I copy+pasted the exact regex I was using from the GUI extractions and using search and nothing is parsed, no fields are displayed, punct is being calculated, and KV_MODE is being ignored... what am I doing wrong?
inputs.conf
[monitor:///mnt/data/monitor/foo/foo/bar.log]
index = main
sourcetype = custom:dns
queue = parsingQueue
disabled = 0
props.conf
[custom:dns]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^.*?\-\s
TIME_FORMAT = %s
TZ = GMT
ANNOTATE_PUNCT = false
KV_MODE = none
EXTRACT-custom_dns_fields = \d+\s\-\s\d+\s(?<timestamp>[^,]*),(?<src>[^,]*),(?<src_port>[^,]*),(?<query>[^,]*),IN,(?<query_type>[^,]*),(?<EDNS0>[^,]*),(?<EDNS0_size>[^,]*),(?<DNSSEC>[^,]*),(?<TCP>[^,]*),
TRANSFORMS-custom_dns_response = custom_dns_response
transforms.conf
[custom_dns_response]
REGEX = (\d+):([\.a-zA-Z0-9-]+)\s
FORMAT = response_code_id::$1 response_code::$2
CLEAN_KEYS = 0
MV_ADD = 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi DEAD_BEEF,
did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi DEAD_BEEF,
did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My app is on my HF. Does it also need to be on the SH to access the search-time field extractions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Another issue could be the search mode: if you run your search in fast mode field extraction will only work for any field provided in the base search.
Again see the docs https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode for more details on that topic.
cheers, MuS
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
