Splunk Search

Field extractions for my app not showing up in search

Builder

I have a custom set of logs where I wrote out the regex to parse it. I then created a field extraction via the search head GUI and everything worked perfectly. I decided to delete the local SH field extractions and instead add the field extractions to the app I wrote (for portability) to ingest these logs and now none of the extractions are working when I ingested new data and searched. My app is installed on a HF where the logs are being monitored.

I copy+pasted the exact regex I was using from the GUI extractions and using search and nothing is parsed, no fields are displayed, punct is being calculated, and KV_MODE is being ignored... what am I doing wrong?

inputs.conf

[monitor:///mnt/data/monitor/foo/foo/bar.log]
index = main
sourcetype = custom:dns
queue = parsingQueue
disabled = 0

props.conf

[custom:dns]
SHOULD_LINEMERGE = false
LINE_BREAKER = ([\r\n]+)
TIME_PREFIX = ^.*?\-\s
TIME_FORMAT = %s
TZ = GMT
ANNOTATE_PUNCT = false
KV_MODE = none
EXTRACT-custom_dns_fields = \d+\s\-\s\d+\s(?<timestamp>[^,]*),(?<src>[^,]*),(?<src_port>[^,]*),(?<query>[^,]*),IN,(?<query_type>[^,]*),(?<EDNS0>[^,]*),(?<EDNS0_size>[^,]*),(?<DNSSEC>[^,]*),(?<TCP>[^,]*),
TRANSFORMS-custom_dns_response = custom_dns_response

transforms.conf

[custom_dns_response]
REGEX = (\d+):([\.a-zA-Z0-9-]+)\s
FORMAT = response_code_id::$1 response_code::$2
CLEAN_KEYS = 0
MV_ADD = 1
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi DEAD_BEEF,

did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Hi DEAD_BEEF,

did you set the permission correct and configured the sharing to be system/all apps instead of just your app?
Please see the docs https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Manageknowledgeobjectpermissions for more detail on that topic.

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma

Builder

My app is on my HF. Does it also need to be on the SH to access the search-time field extractions?

0 Karma

SplunkTrust
SplunkTrust

Another issue could be the search mode: if you run your search in fast mode field extraction will only work for any field provided in the base search.

Again see the docs https://docs.splunk.com/Documentation/Splunk/latest/Search/Changethesearchmode for more details on that topic.

cheers, MuS

0 Karma