Splunk Search

have to add wildcard to end of field value to search.. strange...

mmattek
Path Finder

I have a field defined in a transform. The field appears to work fine in a chart, whatever, but to put it in a field i have to put fieldfoo="value*" , even though the value has no characters (not even a space, I checked, after the "e" in this case.

To make it even weirder, there is an alias to this field (for backward compatibliity for some old searches, and that one works fine....

Tags (2)
0 Karma

Ayn
Legend

Might this field contain a value that isn't part of indexed data, or only part of a token in indexed data? For instance, in the first case, the field could have been extracted in something like this manner:

[myfieldextraction]
REGEX = (matchsomething)
FORMAT = myfield::someothertext

...so the field would have the value "someothertext" even though that value doesn't actually exist at all in the index.

Or, in the second case, the extraction would look something like this:

[myotherfieldextraction]
REGEX = (matchjust)apartofaword
FORMAT = myotherfield::$1

If any of these apply to your extraction, you are very likely seeing the effects of what is described in detail in this excellent blog post: http://blogs.splunk.com/2011/10/07/cannot-search-based-on-an-extracted-field/

Ayn
Legend

You shouldn't set INDEXED=true because it's not an indexed field. I know the docs (and the blog post I linked to) say that Splunk should be able to handle this situation by itself now, so you won't have to set indexed_value yourself, however that simply doesn't seem to be true. Try just setting INDEXED_VALUE to false without setting INDEXED=true.

0 Karma

mmattek
Path Finder

put this in two comments for length 🙂

then I have this in props.conf:

REPORT-frameworkparts = framework-parts,framework-threadname-parts,rmdirect-structuredlog,rmdirect-structuredlog-props,rm-framework-event-type

[threadname]
INDEXED=true
INDEXED_VALUE=false

0 Karma

mmattek
Path Finder

that's interesting, so I tried indexed_value=false, didn't fix it. The fields.conf spec indicates this is only applicable for an index=false, which this field is indexed=true.

here's the deal, I have a transform (in transforms.conf of this app).
[framework-parts]
FORMAT = $0 loglevel::"$1" threadname::"$2" logger::"$3" user::"$4" rmrealm::"$5" processid::"$6" messageid::"$7"
REGEX = ([A-Z]+)\s+[(.?)]\s+(.?)\s+((.?@(.?)|.?))\s+((.?))\s+((.*?))

0 Karma
Get Updates on the Splunk Community!

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

We’ve been buzzing with excitement about the recent validation of Splunk Education! The 2024 Splunk Career ...

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...