The venerable old-skool Splunk forums are now closed. Feel free to search for old content here, but new posts are no longer supported.

Instead, please visit the thriving community at answers.splunk.com to ask and answer questions about your Splunk deployment and how to get the most out of it.

Forums: SplunkGeneral: Index-time field extraction not searchable

Previous Topic: PdhCollectQueryData failed  |   Next Topic: Dashboard? View? Am I missing something?


Posts 1–2 of 2
1
posted by: dottom  |  posts
date: June 12, 2010
permalink

When I use double-quotes in my index-time field extractions, the meta-data is not searchable. I've seen this problem on 4.0.11 and 4.1.3.

Sample text:

results=AA,BB,CC CC,DD

Transforms.conf without double-quotes:

REGEX = ^results=(.*?),(.*?),(.*?),(.+)$
FORMAT = key1::$1 key2::$2 key3::$3 key4::$4
WRITE_META = true

Transform.conf with double-quotes:

REGEX = ^results=(.*?),(.*?),(.*?),(.+)$
FORMAT = key1::"$1" key2::"$2" key3::"$3" key4::"$4"
WRITE_META = true

Results:

If you use the first transforms.conf without the double-quotes, there are two problems:

1. The value for key3 (with a space) is not captured correctly. This is in the documentation which says to use double-quotes.
2. The fields extracted on 4.1.3 are incorrect for key4. Instead of having a field "key4" it has "CC key4". I don't recall seeing this behavior in 4.0.x.

However, if you use the second transforms.conf with the double-quotes:

3. The meta-data is not searchable, i.e. search for "key1=AA" fails.

2
posted by: dottom  |  posts
date: June 15, 2010
permalink

Please go to http://answers.splunk.com/questions/3590/why-is-index-time-field-extraction-not-searchable if you wish to reply so all answers are collected in a single location.