×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
mmmmssss
Engager
Member since: ‎12-22-2018
‎06-05-2020
Community Statistics
Posts 2
Solutions 0
Karma Given 0
Karma Received 2
Member Since ‎12-22-2018
Activity Feed
View All

Splunk 6 auto key value extraction not working?

by in Getting Data In
‎10-15-2013 05:26 AM
1 Karma
‎10-15-2013 05:26 AM
1 Karma
I have recently installed splunk 6, almost certain this worked fine in splunk 5... I have extracted a number of fields from one index into another using the "| collect index=events" function. Now I have the fields in the new index and the raw data contains the key values i expected, but they are not being auto extracted by splunk? I have also tested this with some other data which also doesn't extract, and turned on verbose mode. Example data: time="2013/06/06 15:15:15" data="test" seconddata="test2" 05/09/2013 23:45:39 +0100, info_search_time=1381837886.531, bytes=214, client_ip="192.168.0.1", company=test1, destination_ip="10.0.0.1", domain="example.com", method=GET, reason="Not Found", status=404, uri="/test-env" Question: Is there some global setting to turn on KV extraction? Otherwise is it something I have broken? Thanks, Michael ... View more

Changing field names at runtime

by in All Apps and Add-ons
‎08-05-2013 03:52 AM
1 Karma
‎08-05-2013 03:52 AM
1 Karma
Hi, I cant find a good way to rename multiple field names within different datatypes at run time to then be able to apply transactions to them. Here is an example: search * | rename SourceNetworkAddress as IP | stats count by IP This gives me 4 different IP's with 39 distinct events if I change it to search * | rename SourceNetworkAddress as IP, IP_Address as IP | stats count by IP The second value seems to overwrite the first and I end up with 2 different IP addresses with 12 distinct events. I guess because the first event type doesnt contain that fieldname it is just being overwritten to blank. I have got around it in the interim by just renaming the first field to the name of the second, but this isnt flexible as I now want to add a third datatype. Any help appreciated! Thanks, ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM
Karma from
View All