Splunk® Enterprise

Knowledge Manager Manual

Download manual as PDF

Download topic as PDF

The sequence of search-time operations

When you run a search, the Splunk software runs several operations to derive various knowledge objects and apply them to the events returned by the search. These knowledge objects include extracted fields, calculated fields, lookup fields, field aliases, tags, and event types.

The Splunk software performs these operations in a specific sequence. This can cause problems if you configure something at the top of the process order with a definition that references the result of a configuration that is farther down in the process order.

Search-time operations order example

Consider calculated fields. Calculated field operations are in the middle of the search-time operation sequence. The Splunk software performs several other operations ahead of them, and it performs several more operations after them. Calculated fields derive new fields by running the values of fields that already exist in an event through an eval formula. This means that a calculated field formula cannot include fields in its formula that are added to your events by operations that follow it in the search-time operation sequence.

For example, when you design an eval expression for a calculated field, you can include extracted fields in the expression, because field extractions are processed at the start of the search-time operation sequence. By the time the Splunk software processes calculated fields, the field extractions exist and the calculated field operation can complete correctly.

However, an eval expression for a calculated field should never include fields that are added through a lookup operation. The Splunk software always performs calculated field operations ahead of lookup operations. This means that fields added through lookups at search time are unavailable when the Splunk software processes calculated fields. You will get an error message if your calculated field eval expression includes fields that are added through lookups.

Search-time operation sequence

The following table presents the search-time operation sequence as a list. After the list you can find more information about each operation in the sequence.

Each operation can have configurations that reference fields derived by operations that precede them in the sequence. However, those same configurations cannot contain fields that are derived by operations that follow them in the sequence.

All but one of these operations can be configured through Splunk Web, though some configuration options are only available by making manual .conf edits. You should make all manual file-based operation configurations on the search-head tier.

Note: This list does not include index-time operations, such as default and indexed field extraction. Index-time operations precede all search-time operations. See Index-time versus search time in Managing Indexers and Clusters of Indexers.

Search-time operation order Operation name Can be configured via Splunk Web? Location of file configuration
First Inline field extraction (no field transform) Yes EXTRACT-<class> in a props.conf stanza
Second Field extraction that uses a field transform Yes REPORT-<class> in a props.conf stanza.
Third Automatic key-value field extraction No props.conf stanzas, where KV_MODE is set to a valid value other than none. If no KV_MODE value is specified for a stanza, it is set to auto by default.
Fourth Field aliasing Yes FIELDALIAS-<class> in a props.conf stanza
Fifth Calculated fields Yes EVAL-<fieldname> in a props.conf stanza
Sixth Lookups Yes LOOKUP-<class> in a props.conf stanza.
Seventh Event types Yes eventtypes.conf stanza
Eighth Tags Yes tags.conf stanza

Inline field extractions

Inline field extractions are explicit field extractions that do not include a field transform reference. An explicit field extraction is a field extraction that is configured to extract a specific field or set of fields.

Each inline field extraction configuration is specific to events belonging to a particular host, source, or source type.

This operation does not include automatic key-value field extractions. Automatic key-value field extractions are their own operation category.

Splunk Web management

Create and manage inline field extractions in Settings. Navigate to Settings > Fields > Field extractions. You can also use the field extractor utility to design inline field extractions.

Configuration information

Create EXTRACT-<class> configurations within props.conf stanzas.

Restrictions

The Splunk software processes all inline field extractions belonging to a specific host, source, or source type in lexicographical order according to their <class> value. This means that you cannot reference a field extracted by EXTRACT-aaa in the field extraction definition for EXTRACT-ZZZ, but you can reference a field extracted by EXTRACT-aaa in the field extraction definition for EXTRACT-ddd. See Lexicographical processing of field extraction configurations.

Because they are at the top of the search-time operation sequence, inline field extraction configurations cannot reference fields that are derived and added to events by any other search-time operation.

For more information

In this manual:

Field extraction that uses a field transform

Field extraction configurations that reference a field transform are always processed by the Splunk software after it processes inline field extractions. Like inline field extractions, each transform-referencing field extraction is explicitly configured to extract a specific field or set of fields.

Each transform-referencing field extraction configuration is specific to events belonging to a particular host, source, or source type.

This operation does not include automatic key-value field extractions. Automatic key-value field extractions are their own operation category.

Splunk Web management

You can create and manage field extractions that use field transforms in Settings. Navigate to Settings > Fields and set the field extraction up using the Field Extractions and Field Transformations pages.

Configuration information

Create REPORT-<class> configurations within props.conf stanzas. The REPORT-<class> configurations include a reference to an additional configuration in transforms.conf.

Restrictions

The Splunk software processes all inline field extractions belonging to a specific host, source, or source type in lexicographical order according to their <class> value. This means that you cannot reference a field extracted by EXTRACT-aaa in the field extraction definition for EXTRACT-ZZZ, but you can reference a field extracted by EXTRACT-aaa in the field extraction definition for EXTRACT-ddd. See Lexicographical processing of field extraction configurations.

Transform-referencing field extraction configurations can reference fields that are extracted through inline field extraction operations. They cannot reference fields that are derived and added to events by automatic key-value field extractions and other operations that take place later in the search-time operation sequence.

For more information

In this manual:

Automatic key-value field extraction

A field extraction configuration that uses the KV_MODE attribute to automatically extract fields for events associated with a specific host, source, or source type.

Automatic key-value field extraction is not explicit, in that you cannot configure it to find a specific field or set of fields. It looks for any key=value patterns in events that it can find and extracts them as field-value pairs. It can be configured to extract fields from structured data formats like JSON, CSV, and table-formatted events.

Automatic key-value extraction always takes place after explicit field extraction methods (inline field extraction and transform--referencing field extraction).

Splunk Web management

There currently is not a way to configure automatic key-value field extractions in Splunk Web.

Configuration information

Set up automatic key-value field extractions for a specific host, source, or source type by finding (or creating) the appropriate stanza in props.conf and setting the KV_MODE attribute to auto, auto_escaped, multi, json, or xml.

When KV_MODE is not set for a props.conf stanza, that stanza has KV_MODE=auto by default. You have to set KV_MODE=none to disable automatic key-value field extraction for a specific host, source, or source type. When automatic key-value field extraction is disabled, explicit field extraction still takes place.

When KV_MODE is set to auto or auto_escaped, automatic JSON field extraction can take place alongside other automatic key/value field extractions. If you need to disable JSON field extraction without changing the KV_MODE value from auto, add AUTO_KV_JSON=false to the stanza. When not set, AUTO_KV_JSON defaults to true.

Restrictions

The Splunk software processes automatic key-value field extractions in the order that it finds them in events.

For more information

In this manual:

Field aliasing

Field aliasing is the application of field alias configurations, which enable you to reference a single field in a search by multiple alternate names, or aliases.

Each field alias configuration is specific to events belonging to a particular host, source, or source type.

Splunk Web management

Create and manage field aliases in Settings. Navigate to Settings > Fields > Field aliases.

Configuration information

Create FIELDALIAS-<class> configurations in props.conf stanzas.

Restrictions

The Splunk software processes field aliases belonging to a specific host, source, or source type in lexicographical order. See Lexicographical processing of field extraction configurations.

You can create aliases for fields that are extracted at index time or search time. You cannot create aliases for fields that are added to events by search-time operations that follow the field aliasing process, like lookups and calculated fields.

For more information

Calculated fields

Configurations that create one or more fields through the calculation of eval expressions and add those fields to events. The eval expression can use values of fields that are already present in the event due to index-time or search-time field extraction processes.

Each calculated field configuration is specific to events belonging to a particular host, source, or source type.

Splunk Web management

You can create and manage calculated fields in Settings. Navigate to Settings > Fields > Calculated fields.

Configuration information

Create calculated fields by adding EVAL-<fieldname> configurations to props.conf stanzas.

Restrictions

All EVAL-<fieldname> configurations within a single props.conf stanza are processed in parallel, rather than in any particular sequence. This means you can't "chain" calculated field expressions, where the evaluation of one calculated field is used in the expression for another calculated field.

Calculated fields can reference all types of field extractions as well as field aliases. They cannot reference lookups, event types, or tags.

For more information

In this manual:

Lookups

Configurations that add fields from lookup tables to events when the lookup table fields are matched with one or more fields already present in those events. There are four distinct types of lookup configurations: CSV lookups, external lookups, KV Store lookups, and geospatial lookups.

Each lookup configuration is specific to events belonging to a particular host, source, or source type.

Splunk Web management

Create and manage your lookups in Settings. Navigate to Settings > Lookups.

Configuration information

Define lookups that automatically add fields to events in search results by creating a LOOKUP-<class> configuration in props.conf. Each LOOKUP-<class> includes a reference to a [<lookup_name>] stanza in transforms.conf.

Restrictions

The Splunk software processes lookups belonging to a specific host, source, or source type in lexicographical order. See Lexicographical processing of field extraction configurations.

Lookup configurations can reference fields that are added to events by field extractions, field aliases, and calculated fields. They cannot reference event types and tags.

For more information

In this manual:

Event types

Configurations that add event type field-value pairs to events that match the search strings that define the event types.

Splunk Web management

After you run a search, save it as an event type. You can also define and maintain event types in Settings. Navigate to Settings > Event types.

Configuration information

Configure event types in eventtypes.conf stanzas.

Restrictions

The Splunk software processes event types first by priority score and then by lexicographical order. So it processes all event types with a Priority of 1 first, and applies them to events in lexicographical order. Then it processes event types with a Priority of 2, and so on.

Search strings that define event types cannot reference tags. Event types are always processed and added to events before tags.

For more information

In this manual:

Tags

Configurations that add tags to specific field-value pairs in events.

Splunk Web management

You can add tags directly to field-value pairs in search results. You can also define and maintain tags in Settings. Navigate to Settings > Tags.

Configuration information

Configure tags in tags.conf stanzas.

Restrictions

The Splunk software applies tags to field-value pairs in events in lexicographical order, first by the field value, and then by the field name. See Lexicographical processing of field extraction configurations.

You can apply tags to any field-value pair in an event, whether it is extracted at index time, extracted at search time, or added through some other method, such as an event type, lookup, or calculated field.

For more information

In this manual:

Lexicographical processing of knowledge object configurations

The Splunk software processes the following knowledge objects in lexicographical order, according to the host, source, or source type they belong to:

  • Inline field extractions
  • Field extractions that use a field transform
  • Field aliases
  • Event types (after they are sorted according to priority)
  • Lookups

The Splunk software processes tags in lexicographical order, but they are not associated with a specific host, source, or source type.

Splunk software uses lexicographical ordering to determine configuration file precedence among app directories. See Configuration file precedence in the Admin Manual.

Lexicographical order

Lexicographical order sorts items based on the values used to encode the items in computer memory. In Splunk software, this is almost always UTF-8 encoding, which is a superset of ASCII.

  • Numbers are sorted before letters. Numbers are sorted based on the first digit. For example, the numbers 9, 10, 70, 100 are sorted lexicographically as 10, 100, 70, 9.
  • Uppercase letters are sorted before lowercase letters.
  • Symbols are not standard. Some symbols are sorted before numeric values. Other symbols are sorted before or after letters.

Example

For example, the Splunk software extracts inline field extractions to a specific host, source, or source type in ASCII sort order. This means that when it processes inline field extractions belonging to the access_combined_wcookies source type, it processes an extraction called REPORT-BBB before REPORT-ZZZ, then process REPORT-ZZZ before REPORT-aaa, and so on.

This means that you cannot reference a field extracted by REPORT-aaa in the field extraction definition for REPORT-BBB.

For example, this configuration won't work because the first_ten field is extracted after the first_two field, due to field extraction process ordering (aaa < ZZZ).

 [splunkd]
EXTRACT-aaa = ^(?<first_ten>.{10})
EXTRACT-ZZZ = (?<first_two>.{2}) in first_ten

This configuration will work because the first_ten field is extracted before the first_two field, due to field extraction process ordering (ZZZ > mmm).

 [mongod]
EXTRACT-ZZZ = ^(?<first_ten>.{10})
EXTRACT-mmm = (?<first_two>.{2}) in first_ten

Here is a search you can use to verify these configuration issues.

index=_internal (sourcetype=splunkd OR sourcetype=mongod) | stats values(first_ten) values(first_two) by sourcetype

More information about process order within a single props.conf file

The Admin Manual contains several topics about configuration file administration. One of these topics, Attribute precedence within a single props.conf file, may be of particular interest to those interested in knowledge object processing order. It discusses the following topics.

  • Precedence between sets of stanzas affecting the same host, source, or source type.
  • Overriding the default lexicographical order in props.conf.
  • Precedence for events with multiple attribute assignments.
PREVIOUS
Monitor and organize knowledge objects
  NEXT
Give knowledge objects of the same type unique names

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Comments

Thanks for the comment, Jkat54! You weren't the only person to comment about this. We've updated the topic to state that the Splunk software processes knowledge object class names in ASCII sort order.

Mness, Splunker
October 30, 2016

I think that the processing of knowledge object class names is in ASCII order instead of Alphanumeric.

For example SEDCMD-W will occur before SEDCMD-a because W = 0x087 in ASCII tables and a = 0x097. Since 87 < 97, 87 is processed first.

It might also be useful to reference configuration file precedence and stanza-key collisions.

Thank you in advance! This article is already very useful IMHO!!!

Jkat54
October 27, 2016

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters