Re: Unable to search by field values with long val...

chrisduimstra · ‎06-02-2016

The values from field exception_info are long multi-line values that are shown properly, but they are unable to be searched for directly. Running this search shows all the exception info values, the values also appear under the left fields bar under the events tab.

sourcetype=WinEventLog:Application Type=Error | stats count by exception_info

When searching by a specific value, it returns no results.

sourcetype=WinEventLog:Application Type=Error  exception_info="value"

I have tested with adding a wildcard search as mentioned in a splunk blog but still receive the same results.
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

sourcetype=WinEventLog:Application Type=Error exception_info=* | search exception_info="value"

This issue affects the message field as well, which also contains long values. The exception_info and message fields are the only two fields affected and they both have long values, so I'm guessing there's a correlation there. Any insight into how to solve this would be appreciated.

woodcock · ‎06-02-2016

You are probably running in to this well-known problem:
http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

The solution is to put this into fields.conf in the same directory that you have your field extractions (where props.conf is):

[MyField]
INDEXED_VALUE = false

somesoni2 · ‎06-02-2016

Do the value that you're searching is single line value and is the full value for the field exception_info? If you can see the field exception_info on the field side bar on left, then try clicking on a value to add that as filter, instead of typing it out..

chrisduimstra · ‎06-02-2016

The values are multi-line, and I have tried clicking on the value to add it into the search and have checked to make sure there are quotes surrounding the value.
Here's an example value

Type: System.NullReferenceException
Message: Object reference not set to an instance of an object.
TargetSite: Void Page_Load(System.Object, System.EventArgs)
Source: Buy.Web.Product
HResult: -2147467261

somesoni2 · ‎06-02-2016

And you've to search for full value itself (Nothing unique the error/exception that is single liner)?

chrisduimstra · ‎06-02-2016

I could extract each field separately, but the entirety of the exception_info field is already extracted and it would be more useful and faster to search as a whole value as it is currently.

somesoni2 · ‎06-02-2016

Since the value is multiline, I believe your search should also be written in the same way. Give this a try

sourcetype=WinEventLog:Application Type=Error  exception_info="Type: System.NullReferenceException
Message: Object reference not set to an instance of an object.
TargetSite: Void Page_Load(System.Object, System.EventArgs)
Source: Buy.Web.Product
HResult: -2147467261"

OR (not the best way)

 sourcetype=WinEventLog:Application Type=Error  (exception_info="Type: System.NullReferenceException*" AND exception_info="*Message: Object reference not set to an instance of an object.*" AND exception_info="*TargetSite: Void Page_Load(System.Object, System.EventArgs)*" AND exception_info="Source: Buy.Web.Product*" AND exception_info="*HResult: -2147467261*")

chrisduimstra · ‎06-02-2016

Neither of these options return results.

Unable to search by field values with long values

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk