- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Why would data show up in _raw but not in sear...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why would data show up in _raw but not in search results after SEDCMD?
Hi there,
I have several multivalue fields that are sometimes uneven. To make up for this, I'm trying to use SEDCMD to add a value anytime that value would otherwise be empty.
Example before SEDCMD:
FIELD 1 FIELD 2
1
2 data
3
Example before SEDCMD:
FIELD 1 FIELD 2
1 -1
2 data
3 -1
So I have SEDCMD-fillvaluenull = s/"fields": {}/"fields": {"value":"-1"}/g
And if I search for _raw then I see that it has successfully changed to -1, but when I search for fields.value it is not showing the -1, it only returns the data that I imported is what it seems.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why?
Because Indexed Extractions and Sedcmds in props both occur at index time and both end up in the index. However, I'm not sure why _raw does not match event Information or Interesting fields.
Instead of the sedcmd you might try the MISSING_VALUE_REGEX parameter in props.conf to fill in fields that are empty.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use KV_MODE = json to extract the field at search-time which will happen after SEDCMD.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm assuming you are using INDEXED_EXTRACTIONS=json in your props. SEDCMD happens AFTER INDEXED_EXTRACTIONS. In other words, the fields are extracted before they are changed in _raw. You could try removing INDEXED_EXTRACTIONS and do the extractions in SPL or use REPORT OR EXTRACT in your props on your SH.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As soon as I removed INDEXTED_EXTRACTIONS I'm unable to see any fields on the righthand side (of the Upload GUI).
Do you recommend I not use SEDCMD? I'm not sure how to use SPL or Report or EXTRACT.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You cannot use INDEXED_EXTRACTIONS & SEDCMD they way you were using it. Your options are to keep the SEDCMD, remove INDEXED_EXTRACTIONS and use field extractions on the SH by making these changes
props.conf
[unique_stanza_with_sedcmd]
KV_MODE = json
thanks to @somesoni2 for the suggestion
Preparing your Splunk Environment for OpenSSL3
Unleash Unified Security and Observability with Splunk Cloud Platform
Splunk AppDynamics with Cisco Secure Application
