I'm double posting, original issue posted here: http://www.splunk.com/support/forum:SplunkGeneral/4378
When I use double-quotes in my index-time field extractions, the meta-data is not searchable. I've seen this problem on 4.0.11 and 4.1.3.
Sample text:
results=AA,BB,CC CC,DD
Transforms.conf without double-quotes:
REGEX = ^results=(.*?),(.*?),(.*?),(.+)$
FORMAT = key1::$1 key2::$2 key3::$3 key4::$4
WRITE_META = true
Transform.conf with double-quotes:
REGEX = ^results=(.*?),(.*?),(.*?),(.+)$
FORMAT = key1::"$1" key2::"$2" key3::"$3" key4::"$4"
WRITE_META = true
Results:
If you use the first transforms.conf without the double-quotes, there are two problems:
The value for key3 (with a space) is
not captured correctly. This is in
the documentation which says to use
double-quotes.
The fields extracted on 4.1.3 are
incorrect for key4. Instead of having
a field "key4" it has "CC key4". I
don't recall seeing this behavior in
4.0.x.
However, if you use the second transforms.conf with the double-quotes:
The meta-data is not searchable, i.e.
search for "key1=AA" fails.
UPDATE 6/15/2010
Here are my conf files so you can replicate this issue. I also have a screenshot below.
inputs.conf:
[monitor:///var/log/test]
disabled = 0
sourcetype = mytest
props.conf:
[mytest]
TRANSFORMS-test = extract-fields
fields.conf:
[key1]
INDEXED = true
[key2]
INDEXED = true
[key3]
INDEXED = true
[key4]
INDEXED = true
transforms.conf:
[extract-fields]
REGEX = ^results=(.*?),(.*?),(.*?),(.+)$
FORMAT = key1::"$1" key2::"$2" key3::"$3" key4::"$4"
WRITE_META = true
screenshot:
In this screenshot, notice that the values are indeed extracted and show up in the search result. However, searching for "key1=AA" (or any other key=value) returns no results.
http://dottom.com/public/images/screenshot_8jd49x4d.png
... View more