Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why is Extracted field not searchable?

oliverja
Path Finder
‎06-27-2022 01:27 AM

I have logs that seem to be extracting perfectly. All fields show up in "Interesting Fields", and each one can be searched (myField=*) gives results.

EXCEPT:

I have a field called "domain". It cannot be searched. It is there. It shows 100% of events have it. I hover over it and i see the contents. But when I run a search, nada.

 

index=disa-cbii

 

oliverja_1-1656318185235.png

Search 

 

index=disa-cbii domain="insight.adsrvr.org"

 

0 Results found.

Same for domain=*

Now, if we throw in spath

 

index=disa-cbii 
| spath domain
| search domain="insight.adsrvr.org"

 

we get plenty of results.

What is happening? From everything i can tell, I should not need spath because the event is extracting just fine. All the other dozen fields are extracted and searchable. 

 

index=disa-cbii 
| table domain

 

 works fine. How can I table something that doesn't exist?

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-27-2022 01:44 AM

Hi @oliverja,

if you said the using the spath command you see the data, I suppose that you're speaking of json format, did you used the INDEXED_EXTRACTION=JSON in your props.conf?

Ciao.

Giuseppe

0 Karma
Reply

oliverja
Path Finder
‎06-27-2022 02:09 AM

I have "KV_MODE = json" in my props.conf, which I took to mean that my extractions could take place at search time, instead of index time.

If I do your solution, I would need to disable the KV_MODE so that it is not doing the same work twice? But it would be done on the ingest/index side, not search. We get a lot of these, and I am worried about the storage implications.

I also want to add -- "domain" shows up as covering 100% of events. Again implying it is working?

oliverja_0-1656321192530.png

 

0 Karma
Reply

oliverja
Path Finder
‎07-05-2022 10:07 PM

Any more clarification before I start overriding things?

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-05-2022 11:33 PM

Hi @oliverja,

as I said, I usually use INDEXED_EXTRACTIONS = JSON and it always correctly runs  but kv_mode = json should still work.

Anyway, if the problem is only on one field (domain) maybe the easiest solution is to add a regex extraction on ly for this field, to avoid to change all your extractions.

Ciao.

giuseppe

 

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...