Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extractions for my app not showing up in search

DEAD_BEEF
Builder
‎08-27-2019 08:23 PM

I have a custom set of logs where I wrote out the regex to parse it. I then created a field extraction via the search head GUI and everything worked perfectly. I decided to delete the local SH field extractions and instead add the field extractions to the app I wrote (for portability) to ingest these logs and now none of the extractions are working when I ingested new data and searched. My app is installed on a HF where the logs are being monitored.

I copy+pasted the exact regex I was using from the GUI extractions and using search and nothing is parsed, no fields are displayed, punct is being calculated, and KV_MODE is being ignored... what am I doing wrong?

inputs.conf

[monitor:///mnt/data/monitor/foo/foo/bar.log]
index = main
sourcetype = custom:dns
queue = parsingQueue
disabled = 0

props.conf

[custom:dns]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^.*?\-\s
TIME_FORMAT = %s
TZ = GMT
ANNOTATE_PUNCT = false
KV_MODE = none
EXTRACT-custom_dns_fields = \d+\s\-\s\d+\s(?<timestamp>[^,]*),(?<src>[^,]*),(?<src_port>[^,]*),(?<query>[^,]*),IN,(?<query_type>[^,]*),(?<EDNS0>[^,]*),(?<EDNS0_size>[^,]*),(?<DNSSEC>[^,]*),(?<TCP>[^,]*),
TRANSFORMS-custom_dns_response = custom_dns_response

transforms.conf

[custom_dns_response]
REGEX = (\d+):([\.a-zA-Z0-9-]+)\s
FORMAT = response_code_id::$1 response_code::$2
CLEAN_KEYS = 0
MV_ADD = 1
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎08-27-2019 08:45 PM

Hi DEAD_BEEF,

did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.

Hope this helps ...

cheers, MuS

View solution in original post

Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎08-27-2019 08:45 PM

Hi DEAD_BEEF,

did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.

Hope this helps ...

cheers, MuS

Reply
Solved! Jump to solution

DEAD_BEEF
Builder
‎08-28-2019 05:32 AM

My app is on my HF. Does it also need to be on the SH to access the search-time field extractions?

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎08-27-2019 08:47 PM

Another issue could be the search mode: if you run your search in fast mode field extraction will only work for any field provided in the base search.

Again see the docs https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode for more details on that topic.

cheers, MuS

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...