Some fields not resolving to alias

Question

I have just set up a splunk server (so I'm not quite sure what I'm doing yet) on its own virtual machine. On another machine running Nagios, I have installed a lightweight forwarder. On the splunk indexing server, I have also installed the SplunkForNagios app. SplunkForNagios has several fields configured that I would like to reference as the same field. For example, there's a servicestatus field:

EXTRACT-servicestatus = .+CURRENT SERVICE STATE\:[^;]+;[^;]+;(?P<servicestatus>[^;]*)(?=;)

a status field:

EXTRACT-status = .+SERVICE ALERT\:[^;]+;[^;]+;(?P<status>[^;]*)(?=;)

and a statusnotification field: EXTRACT-statusnotification = .+SERVICE NOTIFICATION\:[^;]+;[^;]+;[^;]+;(?P[^;]*)(?=;)

From my understanding, the correct way of doing this would be to create an alias to reference these three field. So, using the web frontend, I created the alias nagios_status which gave me the following in my configuration file:

FIELDALIAS-nagios_status = servicestatus AS nagios_status status AS nagios_status statusnotification AS nagios_status

I created nagios_status under the SplunkForNagios app, but made it globally available. Now, when I do a search for nagios_status="OK", I get 8 results, 6 of which are status and 2 of which are statusnotification. However, status="OK" returns 11, statusnotifcation="OK" returns 2, and servicestatus="OK" returns 118.

As an example, Splunk says that this log entry contains a value for "nagios_status":

[1288808908] SERVICE ALERT: vm-centos2;yum_updates_nrpe;OK;SOFT;2;YUM OK: 0 Security Updates Available

But this one does not:

[1288765588] SERVICE ALERT: vm-centos2;yum_updates_nrpe;OK;SOFT;2;YUM OK: 0 Security Updates Available

Why are some of these working but not others?

Answer 1

0

I'm having the exact same problem - I have several different fields (extracted from various log row formats), that serve essentially the same purpose. When I alias all 3 to the same name the results become unpredictable - some rows have the aliased name, most do not. The distinction seems completely arbitrary.

Ddi you find a solution for this problem?

link

answered 21 Mar '11, 11:28

spock_yh
41●2
accept rate: 0%

Answer 2

Hi averyml,

The best way to achieve this is to create a number of transforms:
1/ add a new REPORT type to $SPLUNK_HOME/etc/apps/SplunkForNagios/local/props.conf under the sourcetype called [nagios]

REPORT-nagios_status = status servicestatus statusnotification

2/ add three new entries to $SPLUNK_HOME/etc/apps/SplunkForNagios/local/transforms.conf

[status]
REGEX = .+SERVICE ALERT\:[^;]+;[^;]+;(?P<nagios_status>[^;]*)(?=;)

[servicestatus]
REGEX = .+CURRENT SERVICE STATE\:[^;]+;[^;]+;(?P<nagios_status>[^;]*)(?=;)

[statusnotification]
REGEX = .+SERVICE NOTIFICATION\:[^;]+;[^;]+;[^;]+;(?P<nagios_status>[^;]*)(?=;)

3/ Click on the "splunk> SplunkForNagios" logo at the top right of the gui to reload the config files (if using Splunk v 4.2.x, or restart splunk if using v 4.1.x or earlier)

4/ Re-run your search and choose 'nagios_status' from the field picker and click "Select/show in results"

Note: I wrote Splunk for Nagios and am currently applying knowledge management to the app, it will be compliant with the Common Information Model in v1.1 due in May.

A couple of the benefits to making the app CIM compliant include:
1/ common field names; eg. src_host, reason, result.
2/ easier to correlate events.
FYI: existing field names remains the same.

http://www.splunk.com/base/Documentation/latest/Knowledge/UnderstandandusetheCommonInformationModel

Some fields not resolving to alias

Follow this question

Splunk Resources

Related questions