I've got a fairly simple field extraction specified by a props.conf REPORT directive pointed to a transforms.conf spec. The REPORT directive is within a sourcetype spec'd stanza.
The transforms.conf spec has a SOURCE_KEY value that is a autokv extracted field that is null in some events (i.e. "key=" as a null while positive events are key=value). The only other directive for this stanza is the REGEX, which works via rex command.
With this config set, and after a splunk restart, the extracted field fails to show up in search results on the sourcetype. However, if I run the same search, and append a ` | extract reload=T` to the end, the field shows up.
This is very confusing. Does anybody have any explanation as to what could be going on here?
↧