https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/628039#M15192 <P>There are three separate methods of handling json data - spath, auto_kv and indexed extractions. And each of them names fields differently as far as I remember. auto_kv "flattens" the json structure and gives you only leaf field names whereas spath creates field names from the whole object path. I think indexed extractions produce something more similar to auto_kv but I'm not 100% sure - I don't use it very often.</P> Mon, 23 Jan 2023 20:02:01 GMT PickleRick 2023-01-23T20:02:01Z https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/627833#M15178 <P>These two pieces of SPL return two different-looking tables.&nbsp;<BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=servicenow sourcetype=incident number=INC5181781 | spath opened_at | spath resolved_at | table number, opened_at, resolved_at, number, _time</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Will provide me with different results vs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">index=servicenow sourcetype=incident number=INC5181781 | table number, opened_at, resolved_at, number, _time</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>In the one with "spath" the table has more values for those values for "opened_at" and "resolved_at". The same number of events are discovered, but the table makes it look like one event is "missing" dimensions.<BR /><BR />Even if I do these two search, and compare the "Selected Fields" section on the left hand side, the one with spath has more "events" that have the values.&nbsp;</P> <P>&nbsp;</P> <P>In the props.conf file the "source" has the line</P> <P class=""><SPAN class="">INDEXED_EXTRACTIONS = json</SPAN></P> <P><BR />This may also be impacting my ability to search as well. It seems like I will not get complete results unless I do something like&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="markup">sourcetype=incident |spath number |spath category |search number=INC5181781 category=Closed</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>I assume something is not configured as I expect it to be, and I am unsure where else to check.</P> Mon, 23 Jan 2023 15:54:36 GMT https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/627833#M15178 swangertyler 2023-01-23T15:54:36Z https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/627842#M15179 <P>Can you share an example (sanitized) raw event?&nbsp; It sounds like the event is not perfect JSON and so INDEXED_EXTRACTIONS is not extracting fields.</P> Fri, 20 Jan 2023 22:06:51 GMT https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/627842#M15179 richgalloway 2023-01-20T22:06:51Z https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/628023#M15189 <P>When I put the _raw event into something like&nbsp;<A href="https://jsonlint.com/" target="_blank">https://jsonlint.com/</A>&nbsp;it appears to be valid. However, I do know that a field in the original payload is a large text field, so it seems possible that something funny is happening.&nbsp;<BR /><BR />I'll see if I can sanitize an event and get it posted here.&nbsp;</P> Mon, 23 Jan 2023 18:35:32 GMT https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/628023#M15189 swangertyler 2023-01-23T18:35:32Z https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/628039#M15192 <P>There are three separate methods of handling json data - spath, auto_kv and indexed extractions. And each of them names fields differently as far as I remember. auto_kv "flattens" the json structure and gives you only leaf field names whereas spath creates field names from the whole object path. I think indexed extractions produce something more similar to auto_kv but I'm not 100% sure - I don't use it very often.</P> Mon, 23 Jan 2023 20:02:01 GMT https://community.splunk.com/t5/Splunk-Enterprise/Still-having-to-quot-SPATH-quot-despite-quot-INDEXED-EXTRACTIONS/m-p/628039#M15192 PickleRick 2023-01-23T20:02:01Z