Splunk Search

search-time extracted field showing no results when used in search

builder
Path Finder

My set up is that I have splunk forwarders sending data to two load balanced indexers. I then have a search head that uses the indexers as search peers.

I have a standard rails log file where every new request starts with a line like:

Started (GET|POST) "/some-path"46

I want to extract "/some-path" into a field rails-action-path. I was using the documentation here to set up search time extraction using EXTRACT:

http://www.splunk.com/base/Documentation/4.2.1/Knowledge/Createandmaintainsearch-timefieldextraction...

The EXTRACT directive is in $SPLUNK_HOME/etc/apps/search/local/props.conf on my search-head as follows.

[(?:::){0}*rails]
EXTRACT-<rap> = Started \S+ (?<rails_action_path>[\S\/"\.]+)

After restarting splunk on my search head, I can see the field in the field list under "Other interesting fields". All valid values of the field show up with relative percentages. However, if I click on one of those values to search by it, I get 0 results/No matching events found. Given that it just showed me the count of all the events with that value, that doesn't seem right. Note that if I search by field="*", I get all results, but any specific value returns no results.

Can anyone help me figure out what's going wrong here?

Thanks,

Leigh

1 Solution

builder
Path Finder

I finally figured this out by myself. The rails_action_path values were including the quotes. So for example, the value of rails_action_path in the above example was "/sessions/new" not /sessions/new. That mattered as the search was putting quotes around the value, but those were being interpreted by splunk and the search command and not considered part of the value, thus there was no match on the value which did include the quotes. I realized this was going on because the values listed in the chart for the extracted rails_action_path field all had quotes around them, but values listed for other extracted fields did not have quotes around them.

I changed the extraction from:

EXTRACT- = Started \S+ (?[\S\/".]+)

to:

EXTRACT- = Started \S+ "(?[\S\/.]+)"

Now searching on rails_action_path="/sessions/new" works because the value of rails_action_path is actually /sessions/new. The values listed in the chart for the rails_action_path extracted field no longer show quotes around them either.

View solution in original post

kurt28
Path Finder

I have a problem similar to builder. Two of my extractions in props.conf are :

EXTRACT-extract_MessageOne = .+(SD|RV).+:\d{4}(?P\d{2})

EXTRACT-extract_MessageTwo = .+(SD|RV).+:\d{6}(?P\d{6})

and the stanza is [(?:::){0}PC].

When the search is:

source="sourcename" MsgOne=443212 or source="sourcename" | search MsgTwo=30, it returns the right results;

but when the search is:

source="sourcename" MsgTwo=30, it returns nothing.

I can't find if there is any difference between the two extractions in regex.

Can any one help?

builder
Path Finder

I finally figured this out by myself. The rails_action_path values were including the quotes. So for example, the value of rails_action_path in the above example was "/sessions/new" not /sessions/new. That mattered as the search was putting quotes around the value, but those were being interpreted by splunk and the search command and not considered part of the value, thus there was no match on the value which did include the quotes. I realized this was going on because the values listed in the chart for the extracted rails_action_path field all had quotes around them, but values listed for other extracted fields did not have quotes around them.

I changed the extraction from:

EXTRACT- = Started \S+ (?[\S\/".]+)

to:

EXTRACT- = Started \S+ "(?[\S\/.]+)"

Now searching on rails_action_path="/sessions/new" works because the value of rails_action_path is actually /sessions/new. The values listed in the chart for the rails_action_path extracted field no longer show quotes around them either.

jbsplunk
Splunk Employee
Splunk Employee

It might be that the search time field extraction hasn't been completed and isn't fully available. You could test this by doing something like this:

'sourcetype="space-rails" | search rails_action_path="/sessions/new"

Does that return results? It doesn't explain the behavior, but it might be a good workaround.

0 Karma

builder
Path Finder

That does not return results either. : \

0 Karma

builder
Path Finder

sourcetype="space-rails" rails_action_path="/sessions/new" (this came from clicking on the first value listed for rails_action_path in the "Other interesting fields" list)

0 Karma

jbsplunk
Splunk Employee
Splunk Employee

What exactly does your search look like?

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...