All Posts

Find Answers
Ask questions. Get answers. Find technical product solutions from passionate members of the Splunk community.

All Posts

This is showing that the fields have been extracted incorrectly. Yet again I ask if you could please share your configurations which are being used to extract the fields for this sourcetype - this i... See more...
This is showing that the fields have been extracted incorrectly. Yet again I ask if you could please share your configurations which are being used to extract the fields for this sourcetype - this is likely to be where your problem lies, so if you want a resolution, you are going to have to give us more information.
Please paste the text (not an image) of the search into code block (otherwise, it is too small to be read easily)
Hi Team,   Could you please help me on installing pandas module for Phantom.   Regards, Harisha
I have observed one more thing with these failed events. In the event section, usually at the end of each event, the default fields like host, sourcetype, etc., will be appended and displayed. Simil... See more...
I have observed one more thing with these failed events. In the event section, usually at the end of each event, the default fields like host, sourcetype, etc., will be appended and displayed. Similarly, in addition to those default fields, I could see the Request_ID field is also displayed in that section after each event. In that place I could see the format of Request_ID is in unexpected form. Please check the below screenshot (After the field CT=1, the section of default fields is shown)  
Hi please find the below image   
As I said, these look like two different sourcetypes and should be treated as such
So it looks like it is to do with how the fields are extracted. Please can you share these details?
Please share some of the events whish are being returned incorrectly (anonymised appropriately)
@ITWhisperer  I am not using  TIME_FORMAT attribute here, then probably it should work ? Please share your thoughts.
Actually I have shared picture of the raw event of the failed ones only (just masked the confidential fields). They look similar to the other events which work.
yes i can see the output. However  the search returns based on the string mentioned in the bracket  and also additionally it returns most of other user id  example - @abc.com , @test.com , testing.@... See more...
yes i can see the output. However  the search returns based on the string mentioned in the bracket  and also additionally it returns most of other user id  example - @abc.com , @test.com , testing.@test.co
Also you shared (a picture of) an event which works, but not one which doesn't. Please can you share the raw text of a "failing" event in a code block (rather than a picture) - you can obfuscate any ... See more...
Also you shared (a picture of) an event which works, but not one which doesn't. Please can you share the raw text of a "failing" event in a code block (rather than a picture) - you can obfuscate any sensitive details as appropriate.
So it looks like it is to do with how the fields are extracted. Please can you share these details?
I am using just the table command index=main host=* sourcetype=* source=* | table _time, Request_id, Future_id
Ideally, these should be ingested as different sourcetypes so that different parsing can be associated with the different formats.
How are the fields extracted?
What is the search?
we are trying to configure octopus deploy where data is sent via HEC and now i need to validate new logging locations in splunk to send logs...which are the logging locations to be considered..
Hello Splunkers!! I want to ingest below two pattern of events in Splunk and both are in json logs but there timestamp are different. So far I have used below attributes in my props.conf. Please let... See more...
Hello Splunkers!! I want to ingest below two pattern of events in Splunk and both are in json logs but there timestamp are different. So far I have used below attributes in my props.conf. Please let me know or suggest me if any any other attribute I need to add so my both the pattern of events parse smoothly without any time difference..   [exp_json] AUTO_KV_JSON = false DATETIME_CONFIG = INDEXED_EXTRACTIONS = json KV_MODE = none LINE_BREAKER = ([\r\n]+) NO_BINARY_CHECK = true TIME_PREFIX = \"time\"\:\" category = Custom pulldown_type = true Pattern 1: {"datacontenttype":"application/json","data":{"identificationStatus":"NO_IDENTIFICATION_ATTEMPTED","location":"urn:topology:segment:1103.20.15-1103.20.19","carrierId":null,"trackingId":"dc268ac7-168a-11ef-b02a-1feae60bb414"},"subject":"CarrierPositionUpdate","messages":[],"specversion":"1.0","classofpayload":"com.vanderlande.conveyor.boundary.event.business.outbound.CarrierPositionUpdate","id":"8252fb03-2eb2-4619-a59b-24e3280f9bda","source":"conveyor","time":"2024-05-20T09:29:53.361800Z","type":"CarrierPositionUpdate"} Pattern 2: {"data":{"physicalId":"60040160041570014272","carrierTypeId":"18","carrierId":"60040160041570014272","prioritizedDestinations":[{"name":"urn:topology:location:Pallet Loop (DEP):OBD/Returnflow:Exit01","priority":1},{"name":"urn:topology:location:Pallet Loop (DEP):OBD/Returnflow:Exit02","priority":1}],"transportOrderId":"TO_00001399"},"topic":"transport-order-commands-conveyor","specversion":"1.0","time":"2024-05-22T18:02:16.669Z","id":"34A0DF56-B0B2-4A73-9D7B-034A94D49747","type":"AssignTransportOrder"} Thanks in advance!!
If I run a search query, there is no issue with raw events. From the Events tab, everything looks in perfect format and can't say that there is a Data quality issue in the events. Only when this is ... See more...
If I run a search query, there is no issue with raw events. From the Events tab, everything looks in perfect format and can't say that there is a Data quality issue in the events. Only when this is visualised from statistics tab I could see this. Also this is happening only with some events in the results set. I have attached the screenshot of the normal results and the results with Data Quality issue. Expected results with Request Id and other fields. But what it is displaying (Refer the highlighted rows)   Here is the event of one of the request ids where the key value pair is as expected format