Simple searching by extracted field doesn't work

dariusz_kwasny · ‎11-20-2014

Hello,

I have following field extraction and eventtype related definitions:

In props.conf:

[eventtype::app_portal_antivirus_scan]
REPORT-scan-result = app-portal-scan-result

In transforms.conf:

[app-portal-scan-result]
REGEX = Scanning result: (?<scan_result>\d+)

I search events with query (from search app):

eventtype=app_portal_antivirus_scan

and I have expected results. I can see scan_result field in interesting field view. And it has values. Everything seems to be ok.

But when I try search using query:

eventtype=app_portal_antivirus_scan scan_result=*

there is no events displayed. I see message "No results found"

The strange thing is that when I use query:

eventtype=app_portal_antivirus_scan | search scan_result=*

expected events are displayed.

Why query

eventtype=app_portal_antivirus_scan scan_result=*

doesn't work but

eventtype=app_portal_antivirus_scan | search scan_result=*

works perfectly.

How can I search by scan_result field.

woodcock · ‎05-02-2015

This is a common "problem" with how Splunk optimizes searches. Add this to your app's fields.conf file and your searches will work:



[scan_result]

INDEXED_VALUE = false

cpetterborg · ‎11-20-2014

What happens when you do the following search:

sourcetype=app-portal-scan-result eventtype=app_portal_antivirus_scan

If you get nothing, then your eventtype and the sourcetype are in conflict with each other. Then try:

sourcetype=app-portal-scan-result

and see if you get results. From the interesting fields on the left side you should see the scan_result field.

I have not tried to do what you are doing the way that you are doing it, so I could be off base on what results you should see.

Try the following to see if you get any results if the above doesn't help:

eventtype=app_portal_antivirus_scan | rex "Scanning result: (?<scan_result>\d+)"

That should at least see if you can get the scan_result field extracted.

My approach would be to do a field extraction on the sourcetype to put the structure on your data at search time rather than to put the structure on the data at indexing time

dariusz_kwasny · ‎11-21-2014

My sourcetype name is app_portal_systemout

Search:

sourcetype=app_portal_systemout eventtype=app_portal_antivirus_scan

returns expected events.

Search:
sourcetype=app_portal_systemout

also retrus expected events and I can see scan_result field in the "interesting fields" view.

Search:

eventtype=app_portal_antivirus_scan | rex "Scanning result: (?\d+)"

works perfectly. I have scan_result field.

But still I can't search by scan_result field. Searches:

sourcetype=app_portal_systemout scan_result=*

or
eventtype=app_portal_antivirus_scan scan_result=*

don't work despite the fact that they are on "interesting fields" list.

I attach field extraction to eventtype because the log file includes lines formatted in different ways and it dont make sense to perform extraction on each line of the log.

cpetterborg · ‎11-21-2014

What is in your eventtype?

dariusz_kwasny · ‎11-21-2014

In the eventtype.conf file I have:

[app_portal_antivirus_scan]
search = index=app_portal sourcetype=portal_app_systemout  AntivirusScan
priority = 1

dariusz_kwasny · ‎11-21-2014

sorry, I've made mistake it should be:

[app_portal_antivirus_scan]
search = index=app_portal sourcetype=app_portal_systemout  AntivirusScan
priority = 1

cpetterborg · ‎11-21-2014

Since the sourcetype is in the eventtype, it is redundant to put it in the search string in the UI. Use:

eventtype=app_portal_antivirus_scan

Then from the interesting fields popup, select one of the values for the field (which adds the field value to the search), and see if you see any events as a result.

Simple searching by extracted field doesn't work

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!