Splunk Search

Why does an extracted timestamp field show as _raw?

mvanberg
Explorer

I've setup a field extractions with K=V; format and every field is working correctly except for the first field, "timestamp"

Here's the format I'm starting with:

timestamp=1485969522;addr=3232236035;as=192;volume=356;account=1-53abcef

In transforms.conf:

[kv_extraction]
DELIMS = ";", "="

The result:

timestamp:

 timestamp=1485969522;addr=3232236035;as=192;volume=356;account=1-53abcef

(in other words the timestamp field is being extracted as the entire event or _raw)
*Note _time is showing up correctly

addr:
3232236035
(working correctly and shows only the extracted value for all the remaining fields)

Am I doing something wrong here?

P.S.

I tried adding this to props.conf and it did nothing:

TIME_PREFIX= timestamp=
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Can you try with keeping KV_MODE=none in your props.conf on Search Head? This link explains the order of search time field extractions.
http://docs.splunk.com/Documentation/Splunk/6.5.0/Knowledge/Searchtimeoperationssequence

So, your transform.conf entry (REPORT) gets executed first and creates all fields correctly including timestamp. Then the fields are extracted based on KV_MODE (default to auto), in which timestamp is extracted again and overwrites the current value. It captures whole values as there are no spaces.

0 Karma

mvanberg
Explorer

Thanks for the post. I just added "KV_MODE = none" to props.conf and nothing has changed. I even restarted splunk just in case -- though I shouldn't have had to -- and nothing... Any other thoughts?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I thought that would be it. Just to confirm, we set KV_MODE = none on search head, under the same sourcetype stanza. Changing the configuration files from the file system would require a restart.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

You've added a transform.conf entry. Have you related it to your sourcetype in your props.conf? FYI, the attribute TIME_PREFIX is used during event processing (timestamp extraction before indexing) and sets the keyword from where the timestamp is available in _raw and which should be used as _time. It's doesn't help with field extraction.

0 Karma

mvanberg
Explorer

I do have the entry added in pops.conf. It's good to know that TIME_PREFIX is done before indexing, because this is all stuff I'm adding to the search heads. It still doesn't explain why the other fields are extracting just fine and this one is ignoring the the delimiters. My guess is that it's because you cannot extract data with the key of "timestamp..." but I have not confirmed this. That, or maybe the first field of an event gets treated differently...

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

This question would be clearer if you showed some actual dummy data rather than the word "value".

0 Karma

mvanberg
Explorer

I added some real data, maybe that will help.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...