Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why splunk stop to extract new fields for some reason?

imanpoeiri
Communicator
‎08-17-2015 12:56 AM

Hi Splunkers,

I will cut the intro and talk straight to the problem:

I have 5 fields that were declared on props.conf, lets say:

[sourcetype_name]
INDEXED_EXTRACTIONS=csv
TIMESTAMP_FIELDS ="datefield"
FIELDALIAS-alias-may="field1" AS fieldA "field2" AS fieldB "field3" AS field3 "datefield" AS date_created "field5" AS fieldE

I can find field1, fieldA, field2, fieldB, datefield, field5 on the indexed fields, but not for date_created, and fieldE.

but when i move the "field3" AS field3 to the very last of the line, I can find datefield, date_created, field5, and fieldE.

I know it is not a best practice to put the same field name in the props.conf, but why splunk stop the field extraction when it hit error? I think splunk should be able to ignore the error on thus field and continue to extract the next fields.

Can I consider this as a bug?

0 Karma
Reply

woodcock
Esteemed Legend
‎08-17-2015 09:14 AM

I could go either way on it myself but tend to agree with you. You have nothing to lose by filing a bug report with support.Splunk.com.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...