Hello,
I have following field extraction and eventtype related definitions:
In props.conf:
[eventtype::app_portal_antivirus_scan]
REPORT-scan-result = app-portal-scan-result
In transforms.conf:
[app-portal-scan-result]
REGEX = Scanning result: (?<scan_result>\d+)
I search events with query (from search app):
eventtype=app_portal_antivirus_scan
and I have expected results. I can see scan_result field in interesting field view. And it has values. Everything seems to be ok.
But when I try search using query:
eventtype=app_portal_antivirus_scan scan_result=*
there is no events displayed. I see message "No results found"
The strange thing is that when I use query:
eventtype=app_portal_antivirus_scan | search scan_result=*
expected events are displayed.
Why query
eventtype=app_portal_antivirus_scan scan_result=*
doesn't work but
eventtype=app_portal_antivirus_scan | search scan_result=*
works perfectly.
How can I search by scan_result field.
This is a common "problem" with how Splunk optimizes searches. Add this to your app's fields.conf file and your searches will work:
[scan_result]
INDEXED_VALUE = false
What happens when you do the following search:
sourcetype=app-portal-scan-result eventtype=app_portal_antivirus_scan
If you get nothing, then your eventtype and the sourcetype are in conflict with each other. Then try:
sourcetype=app-portal-scan-result
and see if you get results. From the interesting fields on the left side you should see the scan_result field.
I have not tried to do what you are doing the way that you are doing it, so I could be off base on what results you should see.
Try the following to see if you get any results if the above doesn't help:
eventtype=app_portal_antivirus_scan | rex "Scanning result: (?<scan_result>\d+)"
That should at least see if you can get the scan_result field extracted.
My approach would be to do a field extraction on the sourcetype to put the structure on your data at search time rather than to put the structure on the data at indexing time
My sourcetype name is app_portal_systemout
Search:
sourcetype=app_portal_systemout eventtype=app_portal_antivirus_scan
returns expected events.
Search:
sourcetype=app_portal_systemout
also retrus expected events and I can see scan_result field in the "interesting fields" view.
Search:
eventtype=app_portal_antivirus_scan | rex "Scanning result: (?\d+)"
works perfectly. I have scan_result field.
But still I can't search by scan_result field. Searches:
sourcetype=app_portal_systemout scan_result=*
or
eventtype=app_portal_antivirus_scan scan_result=*
don't work despite the fact that they are on "interesting fields" list.
I attach field extraction to eventtype because the log file includes lines formatted in different ways and it dont make sense to perform extraction on each line of the log.
What is in your eventtype?
In the eventtype.conf file I have:
[app_portal_antivirus_scan]
search = index=app_portal sourcetype=portal_app_systemout AntivirusScan
priority = 1
sorry, I've made mistake it should be:
[app_portal_antivirus_scan]
search = index=app_portal sourcetype=app_portal_systemout AntivirusScan
priority = 1
Since the sourcetype is in the eventtype, it is redundant to put it in the search string in the UI. Use:
eventtype=app_portal_antivirus_scan
Then from the interesting fields popup, select one of the values for the field (which adds the field value to the search), and see if you see any events as a result.