I have a little problem with summary indexing seemingly ignoring some fields.
My logfile looks like this:
2011-06-29 12:00:00,000 tx=12345 Starting to process order. orderId=31415
2011-06-29 12:00:01,500 tx=12345 Done processing order. outcome=SUCCESS, info=[orderId=31415, execution_time_ms=1500]
2011-06-29 12:05:00,000 tx=98765 Starting to process order. orderId=67890
2011-06-29 12:05:01,200 tx=98765 Done processing order. outcome=FAILURE, info=[orderId=67890, execution_time_ms=1200]
I've scheduled an index-populating query called "index-populating-query" that runs every 15 minutes and saves its results to the summary index:
When I run this query from search, Splunk correctly shows all the discovered fields on the left hand side: tx, orderId, outcome, execution_time_ms.
But when I run queries against the summary index, it seems that the fields tx and outcome aren't contained in the index:
index=summary source="index-populating-query" oútcome=*
produces an empty result set, and
index=summary source="index-populating-query" *
shows the fields orderId and execution_time_ms on the left hand side, but no outcome or tx.
Does anyone have an explanation for this behaviour?
I noticed that the missing fields are the ones that aren't following a comma in the log file.
The outcome field could probably be extracted during my queries against the summary index using a regex (e.g. rex "(?i) outcome=(?P [^,]+)"), but doesn't that somehow defeat the purpose of summary indexing?
... View more
My Splunk installation has indexed some files that weren't supposed to be indexed (dot files created by rsync), and now I'm seeing a Pool quota overage alert in Manager > Licensing > Licensing alerts.
The message states "please correct before midnight", but doesn't tell me how.
I can search for the unwanted events by filtering the source filed, and I could pipe the result to the Delete operator - but AFAIK, that has zero effect on the licensing.
So what exactly is Splunk encouraging me to do before midnight?
... View more
My question is a duplicate of this one, but since I couldn't comment there, I figured I'd ask again:
When I click view source on an event that has a large number of lines (for example, a Java error with 200+ lines), the view source screen only shows first 100 lines of the original log.
This is actually listed as a feature with 4.x Splunk. Is there a way to increase this so when I click on view source I see the whole original log?
According to the only answer, this is a bug that should be fixed in v4.1.3. However, I'm running v4.1.4 (82143) and still cannot see more than 100 lines in Show Source.
... View more