Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

real-time search and field extraction/transformation

alexiri
Communicator
‎05-20-2011 07:59 AM

I used to have an index-time field extraction on one of my source types in order to get the error code of the message. I also had a real-time alert on that field, something like "error=ANR1234E". This worked quite nicely, whenever that particular error came up the alert action was triggered.

I've just converted this field extraction to a search-time one, as I've been told that there is no longer a performance benefit and this way its more flexible. Now, my real-time alert no longer works.

Reading the documentation on real-time alerts I see why: they're triggered before index-time. The question is, why, then, did it work when I was doing an index-time field extraction?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-20-2011 09:10 AM

You are correct in that real-time searches grab the data before it hits the index queue, however real-time searches do have access to search time field extractions which happen in the parsing queue.

Can you successfully search for "error=ANR1234E" via non RT search. This would rule out the field extraction as the culprit?

View solution in original post

0 Karma
Reply
Solved! Jump to solution

alexiri
Communicator
‎05-20-2011 09:54 AM

You are totally correct, I couldn't. I had the extractions defined in props.conf as EXTRACT-, changing this to REPORT- made it work correctly again. Thanks for pointing me in the right direction!

0 Karma
Reply
Solved! Jump to solution
Solution

hazekamp
Builder
‎05-20-2011 09:10 AM

You are correct in that real-time searches grab the data before it hits the index queue, however real-time searches do have access to search time field extractions which happen in the parsing queue.

Can you successfully search for "error=ANR1234E" via non RT search. This would rule out the field extraction as the culprit?

0 Karma
Reply
Solved! Jump to solution

alexiri
Communicator
‎05-20-2011 08:42 AM

I did, it's "error=ANR1234E".

Regardless, the question isn't about a particular search that isn't working. The question is, how is it possible that a real-time search based on an index-time field extraction actually works, given that the real-time search supposedly runs before the event is indexed?

0 Karma
Reply
Solved! Jump to solution

Simeon
Splunk Employee
Splunk Employee
‎05-20-2011 08:37 AM

It would help if you paste your exact search.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...