Looking for advice/suggestions to the following. I created a powershell function that makes getting data inside Splunk easy. The only issue I currently have is that the first KV field inside the Body field is always ignored.
Splunk will not perform any extraction at search-time for dnsserver.
2016-01-29T011:19:56:369-05:00 id="614aa2df-c04b-4656-83f5-c708b174c829" app="SMTP_Job_Manager_Test" task="mx record check" operator="MyID" operatordisplay="MYDisplay" type="information" severity="informational" severity_id="1" body=" dnsserver="8.8.4.4" recordtype="MX" ttl="20697" smtp_server="mail.google.com" preference="20" emaildomainname="google.com" "
If i put a fake KV in front of dnsserver it will work and it will extract dnsserver.
body=" fake=field dnsserver="8.8.4.4" recordtype="MX" ttl="20697" smtp_server="mail.google.com" preference="20" emaildomainname="google.com"
I am pretty happy with the way the function work with the exception of this minor issue. Any clue why this is happening?
Thanks
It looks like splunk takes body
as a field and dnsserver=
as it's value . You can verify it by
your search | table body dnsserver recordtype
Whenever you add fake=field, fake=
is assigned to body
and then dnsserver is extracted as expected.