Splunk Search

Why is the search-time extraction being skipped for the first key-value pair within a particular field?


Looking for advice/suggestions to the following. I created a powershell function that makes getting data inside Splunk easy. The only issue I currently have is that the first KV field inside the Body field is always ignored.

Splunk will not perform any extraction at search-time for dnsserver.

2016-01-29T011:19:56:369-05:00 id="614aa2df-c04b-4656-83f5-c708b174c829" app="SMTP_Job_Manager_Test" task="mx record check" operator="MyID" operatordisplay="MYDisplay" type="information" severity="informational" severity_id="1" body=" dnsserver="" recordtype="MX" ttl="20697" smtp_server="mail.google.com" preference="20" emaildomainname="google.com" "

If i put a fake KV in front of dnsserver it will work and it will extract dnsserver.

 body=" fake=field dnsserver="" recordtype="MX" ttl="20697" smtp_server="mail.google.com" preference="20" emaildomainname="google.com" 

I am pretty happy with the way the function work with the exception of this minor issue. Any clue why this is happening?


0 Karma


It looks like splunk takes body as a field and dnsserver= as it's value . You can verify it by

your search | table body dnsserver recordtype

Whenever you add fake=field, fake= is assigned to body and then dnsserver is extracted as expected.

What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...