Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

INDEXED_EXTRACTIONS error in splunkd.log

znaesh
Path Finder
‎07-06-2018 06:57 AM

Can you please advise, what do I do if my Splunk complains often (every couple minutes) in splunkd.log in production environment about

07-06-2018 11:21:04.253 +0300 ERROR IndexedExtractionsConfig - Tried to set INDEXED_EXTRACTIONS but it already had a value! (was: 0, wanted: 😎

I have tried enabling debug logging level for IndexedExtractionsConfig, but got no details.
How can I locate and fix the problem?

0 Karma
Reply

znaesh
Path Finder
‎07-11-2018 04:29 AM

Are our ufix events considered by server to be erroneously indicated as CSV type? Is it a problem caused by unquoted space chars or something?

Sample ufix event:
"/opt/splunk/var/lib/splunk/xru/db/db_1531217904_1531166719_2035/rawdata","journal.gz",10.07.18 13:18 ,453815577,0,6E09087F,3,-

Sample ufix_status event:
List creation: 0, prj creation: 0, report creation: 0

splunk/etc/apps/x/local/props.conf:

[ufix]
DATETIME_CONFIG = CURRENT
FIELD_NAMES = directory, filename, date, byte_length, line_length, crc, crc_type, id_crc
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
category = Structured
description = CSV-report by ФИКС-Unix
disabled = false
pulldown_type = true

[ufix_status]
category = Structured
pulldown_type = 1
EXTRACT-list_status = List creation: (?\d*), prj
EXTRACT-prj_status = prj creation: (?\d*),
EXTRACT-report_status = report creation: (?\d*)
DATETIME_CONFIG = CURRENT
FIELD_NAMES = directory, filename, modify_date, byte_length, line_length, crc, crc_type, id_crc
INDEXED_EXTRACTIONS = csv
KV_MODE = none
NO_BINARY_CHECK = true
SHOULD_LINEMERGE = false
description = Comma-separated value format. Set header and other settings in "Delimited Settings"
disabled = false

0 Karma
Reply

znaesh
Path Finder
‎07-11-2018 04:28 AM

Checked that INDEXED_EXTRACTIONS setting is not being redefined several times in any configs.

There are no INDEXED_EXTRACTIONS settings in our server config except for ufix, ufix_status and default config files (unchanged).

ufix and ufix_status events are generated every morning, the should not be causing the minutely error messages.

0 Karma
Reply

znaesh
Path Finder
‎07-07-2018 05:39 AM

I am fixing a production Splunk with lots of inputs and users, so I cannot just 'start over' a fresh server and find out when the error would reappear again.
Please advise.
How can I track down the input causing the error?
How can I know what is the impact of the error?
What is the best practice to fix it in a proper way?
What is the meaning of this error at all?

0 Karma
Reply

ddrillic
Ultra Champion
‎07-06-2018 10:49 AM

I see the exact same error at -

alt text

But I can't reach this page from Latest Questions on Splunk Answers

Preview file
43 KB
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...