Since we're using Splunk Free I can't open a case to submit a bug report. Hopefully someone here can either tell me this is expected behavior or reproduce the bug and file it.
I was working on adding fields to our access-combined SourceType and noticed that the first extraction I completed returned incorrect data. For logs from today (Jan 1) the fields were correct but logs from yesterday (Dec 31) and before were all off by one position. Since I'm not concerned about perfect extraction I had setup the new fields with space-delimited separators. In trying a different field extraction with a different sample date *before* today I found that the fields lined up fine for all days prior.
I switched to raw view in Search and it looked like both today and yesterday's log entries are identical in their space-delimited breakouts. Heading back into Field Extractor I previewed Jan 1 entries versus Dec 31 entries and found that the datetime fields between the two aren't consistent. For instance:
Dec[single space]31[single space]23:31:39
Jan[double space]1[single space]12:06:15
It looks like Field Extractor was trying to compensate for the length difference between the "1" and "31" day fields. But, in doing so, it assumed the extra space was another field delimiter and moved everything over by one place.
Has anyone else seen this behavior or are you able to reproduce it? I've setup an extraction based on the correct format, but since our installation is fairly new I don't have enough indexed data to see if this affects all dates with single-digit days or if it's only in Field Extractor.
Thanks!
Alan
↧