Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Strange search results

joonradley
Path Finder
‎09-13-2010 10:47 AM

Hi,

I am currently indexing bash history files. The user and other information are encapsulated in the file name when all the history files are collected.

e.g. /install/.log/20100910124129-server1.user1.user4.desktop1.domain.tld.log

I use the following EXTRACT in the props.conf:

EXTRACT-userinfo=/install/\.log/(?<LOGOUT>\d{14})-(?<CMDHOST>[^\.]+)\.(?<USER>[^\.]+)\.(?<EUSER>[^\.]+)\.(?<FORMHOST>\.+)\.log in source

On viewing the results form the search:

index=myindex

Shows all the fields in the field picker with the correct counts. When clicking on one of the fields the search changes to:

Index=myindex CMDHOST =”host1”

Shows “No matching events found”

Index=myindex CMDHOST =”*host1”

List all the events for the CMDHOST

index="myindex" | fields _raw, CMDHOST | search CMDHOST ="host1"

again lists all the events for the specific CMDHOST.

Any ideas?

BTW tested on Splunk 4.1.2 and 4.1.5 on MacOSX, Windows and FreeBSD.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ziegfried
Influencer
‎09-13-2010 01:56 PM

This is because Splunk expects the field value of the CMDHOST field to be part of the raw event (ie. the _raw field). You have two options to make the field-search work:

  • Mark the fields with INDEXED_VALUE=false in fields.conf

fields.conf:

[CMDHOST]
INDEXED_VALUE=false
[LOGOUT]
INDEXED_VALUE=false
...
  • Make the fields derived from the source field indexed

See this on how to configure index-time field extractions: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction

View solution in original post

Reply
Solved! Jump to solution
Solution

ziegfried
Influencer
‎09-13-2010 01:56 PM

This is because Splunk expects the field value of the CMDHOST field to be part of the raw event (ie. the _raw field). You have two options to make the field-search work:

  • Mark the fields with INDEXED_VALUE=false in fields.conf

fields.conf:

[CMDHOST]
INDEXED_VALUE=false
[LOGOUT]
INDEXED_VALUE=false
...
  • Make the fields derived from the source field indexed

See this on how to configure index-time field extractions: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction

Reply
Solved! Jump to solution

joonradley
Path Finder
‎09-13-2010 02:16 PM

Thank you. This worked.

0 Karma
Reply
Solved! Jump to solution

maverick
Splunk Employee
Splunk Employee
‎09-13-2010 01:53 PM

I have not tested this yet myself, but upon first review of your description above, the fact that there is a dash char just before the host name makes me think it has something to do with that.

I would try escaping out that dash in your regex and see if it makes a difference.

EXTRACT-userinfo=/install/.log/(?<LOGOUT>\d{14})-(?<CMDHOST>[^.]+).(?<USER>[^.]+).(?<EUSER>[^.]+).(?<FORMHOST>.+).log

OR try this version of the regex that uses \S+ for the value extraction, since there are no spaces in the event.

EXTRACT-userinfo=/install/.log/(?<LOGOUT>\d{14})-(?<CMDHOST>\S+?).(?<USER>\S+?).(?<EUSER>\S+?).(?<FORMHOST>\S+).log

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Platform | Upgrading your Splunk Deployment to Python 3.9

Splunk initially announced the removal of Python 2 during the release of Splunk Enterprise 8.0.0, aiming to ...

From Product Design to User Insights: Boosting App Developer Identity on Splunkbase

co-authored by Yiyun Zhu & Dan Hosaka Engaging with the Community at .conf24 At .conf24, we revitalized the ...

Detect and Resolve Issues in a Kubernetes Environment

We’ve gone through common problems one can encounter in a Kubernetes environment, their impacts, and the ...