Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Extracted field not searchable?

oliverja
Path Finder
‎06-27-2022 01:27 AM

I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results.

EXCEPT:

I have a field called "domain". It cannot be searched. It is there. It shows 100% of events have it. I hover over it and i see the contents. But when I run a search, nada.

 

index=disa-cbii

 

oliverja_1-1656318185235.png

Search 

 

index=disa-cbii domain="insight.adsrvr.org"

 

0 Results found.

Same for domain=*

Now, if we throw in spath

 

index=disa-cbii 
| spath domain
| search domain="insight.adsrvr.org"

 

we get plenty of results.

What is happening? From everything i can tell, I should not need spath because the event is extracting just fine. All the other dozen fields are extracted and searchable. 

 

index=disa-cbii 
| table domain

 

 works fine. How can I table something that doesn't exist?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-27-2022 01:44 AM

Hi @oliverja,

if you said the using the spath command you see the data, I suppose that you're speaking of json format, did you used the INDEXED_EXTRACTION=JSON in your props.conf?

Ciao.

Giuseppe

0 Karma
Reply

oliverja
Path Finder
‎06-27-2022 02:09 AM

I have "KV_MODE = json" in my props.conf, which I took to mean that my extractions could take place at search time, instead of index time.

If I do your solution, I would need to disable the KV_MODE so that it is not doing the same work twice? But it would be done on the ingest/index side, not search. We get a lot of these, and I am worried about the storage implications.

I also want to add -- "domain" shows up as covering 100% of events. Again implying it is working?

oliverja_0-1656321192530.png

 

0 Karma
Reply

oliverja
Path Finder
‎07-05-2022 10:07 PM

Any more clarification before I start overriding things?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2022 11:33 PM

Hi @oliverja,

as I said, I usually use INDEXED_EXTRACTIONS = JSON and it always correctly runs  but kv_mode = json should still work.

Anyway, if the problem is only on one field (domain) maybe the easiest solution is to add a regex extraction on ly for this field, to avoid to change all your extractions.

Ciao.

giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...