8/5/2023 0 Comments Splunk lookup props.conf(Optional) If your field value is a smaller part of a token, you must configure nf as explained here.The problem is that while foo123 exists in the index, foo does not, which means that you'll likely get few results if you search on that subtoken, even though it may appear to be extracted correctly in your search results.īecause tokens cannot be smaller than individual words within strings, a field extraction of a subtoken (a part of a word) can cause problems because subtokens will not themselves be in the index, only the larger word of which they are a part. I've reviewed the specifications for nf and nf but wasn't able to find what I'm doing wrong. However, if your extraction pulls out the foo as a field value unto itself, you're extracting a subtoken. I've since set up a few other regex transforms to drop specific events from a different source (by sending them to nullQueue) and these are all working as expected, so I know that Splunk is able to see the conf files. If it has been run through event processing and indexing, it is a token, and it can be a value of a field. For example, you may have the word foo123 in your event. A heavy forwarder is just an indexer that does not store data. That's the primary function of an indexer. Tokens are never smaller than a complete word or number. nf source sourcetype nf 0 Karma Reply 1 Solution Solution richgalloway SplunkTrust 3 weeks ago Yes, indexers do process data before it gets indexed. During event processing, events are broken up into segments, and each segment created is a token. Tokens are chunks of event data that have been run through event processing prior to being indexed. You may run into problems if you are extracting a field value that is a subtoken-a part of a larger token. You can then use these fields with some event types to help you find port flapping events and report on them. | stats count by interface,host,port_status Search = eventtype=cisco_ios_port_down OR eventtype=cisco_ios_port_up starthoursago=3
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |