I'm rather new to Splunk. One of the things I have been tasked with is the tracking of API commands sent in URLs to us by our customers. I have some fields that I have extracted that appear correctly in the left Fields part of the screen and work in stats break downs, but when I attempt to search with them the results are inconsistent.
Much of the important information I need to extract is in the "options" portion of the URL.
options=ORD%3DAU+TEXT%3DN+PS%3DN+FormatOnHost%3DN+UNIX%3DY+SENDDATA%3DN+PA%3DGN+REVL%3DY+REVF%3DAU
I want to extract values for each field name that precedes the %3d with the values after it (i.e. "ORD" would be the field and "IV" would be the value). I used the field extractor with a regex similar to the following for each field:
(?i)ORD(%3D|=)(?P<ORD>\w+)
There is one of these for each of the fields in the options. Each of the fields seem to capture the correct values when looked at in the Fields section of Splunk and when using the stats command. However if I search with the following I get no results:
host="mywebserver" ORD=AU :0 events from 1 AM through 7 AM Thursday, March 17, 2011
There is obviously data out there with that value because if I do the following I get the expected results and the fields show as extracted with the AU value:
host="mywebserver" ORD%3dAU :174 events from 1 AM through 7 AM Thursday, March 17, 2011
The really odd thing is that almost the opposite happens when I search for a different value (all the requests have "ORD%3dIV" on them and none have literally "ORD=IV").
host="mywebserver" ORD=IV :2,138 events from 1 AM through 7 AM Thursday, March 17, 2011
host="mywebserver" ORD%3dIV :705 events from 1 AM through 7 AM Thursday, March 17, 2011
Is there something I'm doing wrong with my extraction or possibly something wrong in our Splunk environment?
... View more