Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How does automatic key=value extraction works?

tpaulsen
Contributor
‎05-23-2012 10:42 AM

Hello,

we have a logfile that contains key=value pairs.
Usually Splunks automatic field extraction is working fine and is showing the fields. But...when i want to do a search like e.g. this:

source="/var/opt/tomcat/logs/san.log" tag="*"

Splunk tells me, that the field "tag" doesn´t exist.

But when i use:

source="/var/opt/tomcat/logs/san.log" | search tag="whateverilookfor*"

i get the results as wished but also a message on top of the window saying:

Encountered an unexpected error while
parsing intentions.

What is happening here and how can i avoid this?

Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-23-2012 12:21 PM

tag is probably a reserved word, since it refers to tagging of information. See the Knowledge Manager section in the docs.

Maybe that only applies when it comes before the first pipe. However, I believe that 

source="/var/opt/tomcat/logs/san.log" "tag=*"

would give you what you want, i.e. enclosing the statement in double quotes.

Hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎05-23-2012 12:21 PM

tag is probably a reserved word, since it refers to tagging of information. See the Knowledge Manager section in the docs.

Maybe that only applies when it comes before the first pipe. However, I believe that 

source="/var/opt/tomcat/logs/san.log" "tag=*"

would give you what you want, i.e. enclosing the statement in double quotes.

Hope this helps,

Kristian

Reply
Solved! Jump to solution

tpaulsen
Contributor
‎03-07-2013 03:08 AM

Thank you Kristian, that was exactly the problem. Tag is a reserved word, so it shouldn´t be used in the Logevent as a fieldname. We change the fieldname to ltag, now it is working. Best, Thomas

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...