×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
anderssv
New Member
Member since: ‎10-15-2012
‎06-05-2020
Community Statistics
Posts 5
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-15-2012
View All

Re: Search time indexing failing with certain fiel...

by in Splunk Search
‎02-12-2014 11:43 PM
‎02-12-2014 11:43 PM
Test query works as expected: sourcetype=log4j | rex "\s(?P<loglevel>(FATAL|ERROR|WARN|INFO|DEBUG|TRACE))\s" | stats count by loglevel I run a more detailed query to filter that works: sourcetype=log4j | rex "\s(?P<loglevel>(FATAL|ERROR|WARN|INFO|DEBUG|TRACE))\s" | search loglevel="ERROR" Then I move stuff to props.conf... The count query works: sourcetype=log4j | stats count by loglevel The detailed query doesn't??? sourcetype=log4j loglevel=INFO INFO did occur in the table for stats, and is present in the timeframe... Have the faintest idea what's going on here? ... View more

Re: Search time indexing failing with certain fiel...

by in Splunk Search
‎02-12-2014 11:42 PM
‎02-12-2014 11:42 PM
Sorry, thought the proxy was blocking stuff. But trying to post an answer from a different computer/network doesn't work either. I'll just split for the comments here. ... View more

Re: Search time indexing failing with certain fiel...

by in Splunk Search
‎02-11-2014 11:23 PM
‎02-11-2014 11:23 PM
Thanks. So I updated to unique names. But it doesn't seem to help. 😞 Updated answer below because of length limitation on comments. ... View more

Re: Search time indexing failing with certain fiel...

by in Splunk Search
‎02-07-2014 06:52 AM
‎02-07-2014 06:52 AM
Ah, sorry about that. Extraction of course. I did searches in timeframes that did not have the "### loglevel=warn" data, but it still didn't work... ... View more

Search time indexing failing with certain field na...

by in Splunk Search
‎02-07-2014 06:03 AM
‎02-07-2014 06:03 AM
We are doing search time indexing, and the following stanza is added to props.conf on the search heads: [log4j] EXTRACT-loglevel = \s(?P<loglevel>(FATAL|ERROR|WARN|INFO|DEBUG|TRACE))\s This was working, but stopped. No changes to config, and I suspect the only thing that changed was the indexed data. Is there any chance that smart field extraction or something like that is interfering with our extraction? I can see some log statements containing: .... ### loglevel=warn ... .... Searches for loglevel gives zero results: loglevel=ERROR But... If we change the name of the extracted field it starts working... (notice the j in front of loglevel)... [log4j] EXTRACT-loglevel = \s(?P<jloglevel>(FATAL|ERROR|WARN|INFO|DEBUG|TRACE))\s Any clue as to where we should start digging? We can of course live with a different name, but seems a bit unnecessary too. 🙂 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM