Why is the search-time extraction being skipped fo...

MartinMcNutt · ‎01-29-2016

Looking for advice/suggestions to the following. I created a powershell function that makes getting data inside Splunk easy. The only issue I currently have is that the first KV field inside the Body field is always ignored.

Splunk will not perform any extraction at search-time for dnsserver.

2016-01-29T011:19:56:369-05:00 id="614aa2df-c04b-4656-83f5-c708b174c829" app="SMTP_Job_Manager_Test" task="mx record check" operator="MyID" operatordisplay="MYDisplay" type="information" severity="informational" severity_id="1" body=" dnsserver="8.8.4.4" recordtype="MX" ttl="20697" smtp_server="mail.google.com" preference="20" emaildomainname="google.com" "

If i put a fake KV in front of dnsserver it will work and it will extract dnsserver.

 body=" fake=field dnsserver="8.8.4.4" recordtype="MX" ttl="20697" smtp_server="mail.google.com" preference="20" emaildomainname="google.com"

I am pretty happy with the way the function work with the exception of this minor issue. Any clue why this is happening?

Thanks

renjith_nair · ‎01-29-2016

It looks like splunk takes body as a field and dnsserver= as it's value . You can verify it by

your search | table body dnsserver recordtype

Whenever you add fake=field, fake= is assigned to body and then dnsserver is extracted as expected.

---
What goes around comes around. If it helps, hit it with Karma 🙂

Why is the search-time extraction being skipped for the first key-value pair within a particular field?

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?