Splunk Search

field attaches too much data

Path Finder

The log entry is:

2011-04-20 01:04:12,026 [DEBUG] com.company.ldap.SpringLdapDao.java(?) - **username=ahall** returned no groups, which probably means the user needs to be assigned groups by security
2011-04-19 18:06:49,424 [DEBUG] com.company.ldap.SpringLdapDao.java(?) - **username=frozndrk** returned no groups, which probably means the user needs to be assigned groups by security

I would expect to see a list of usernames with the simple values (e.g. ahall, frozndrk), but in reality, what I see for the username field is:

  • ahall returned no groups
  • frozndrk returned no groups

In some odd way, it is also grabbing data to the comma. I only want the username, and not the junk after it.

Why is this happening?

Thanks,
Sean

Tags (1)
1 Solution

SplunkTrust
SplunkTrust

Is this a field extraction you've defined, or is Splunk auto-extracting it? It sounds like maybe you need to define a slightly different regex for this. Try this as a test, and see how it does with values for test_username.

returned no groups | rex "username=(?<test_username>.*) returned no groups"

You can add this to props.conf for your sourcetype using something like:

[mysourcetype]
EXTRACT-username = username=(?<username>.*) returned no groups

View solution in original post

SplunkTrust
SplunkTrust

Is this a field extraction you've defined, or is Splunk auto-extracting it? It sounds like maybe you need to define a slightly different regex for this. Try this as a test, and see how it does with values for test_username.

returned no groups | rex "username=(?<test_username>.*) returned no groups"

You can add this to props.conf for your sourcetype using something like:

[mysourcetype]
EXTRACT-username = username=(?<username>.*) returned no groups

View solution in original post

SplunkTrust
SplunkTrust

It's hard to say for 100% sure without digging through your configuration. You could always add the above extraction to props.conf for your sourcetype. See update to answer...

0 Karma

Path Finder

I have looked through my existing Field Extractions, and I do not see anything related to this particular username. So I think it appears to be Splunk making this extraction.

Using your inline extraction above retrieves the usernames as expected for the test_username field.

Any idea why Splunk would extract usernames wrong? What configuration can I check to ensure it is not something I have done?

Thanks,
Sean

0 Karma