https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440056#M76745 <P>If you cannot provide a sanitized event of identical size, then there is no good way for us to help.</P> Thu, 03 Jan 2019 01:52:15 GMT woodcock 2019-01-03T01:52:15Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440049#M76738 <P>We are working with the following JSON generated by a dcos/marathon api:</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6262i6C9E3B4020B2FE6B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>When I run:</P> <PRE><CODE>index=dcos sourcetype="dcos:marathon:metrics" | table gauges.api.mesosphere.marathon.core.event.impl.stream.HttpEventStreamActorMetrics.number-of-streams.count </CODE></PRE> <P>I get a nice table with all the expected numbers. </P> <P>But, when I run: </P> <PRE><CODE>index=dcos sourcetype="dcos:marathon:metrics" | table gauges.service.mesosphere.marathon.leaderDuration.count </CODE></PRE> <P>All the fields are empty.</P> <P>Why can I see the correct values for "gauges.api.mesosphere.marathon.core.event.impl.stream.HttpEventStreamActorMetrics.number-of-streams.count" But can not see it for gauges.service.mesosphere.marathon.leaderDuration.count<BR /> I also tried to get the data with spath like:</P> <PRE><CODE>index=dcos sourcetype="dcos:marathon:metrics" | spath "gauges.service.mesosphere.marathon.leaderDuration.count" | table * </CODE></PRE> <P>But again, the values are empty even though I can see gauges.service.mesosphere.marathon.leaderDuration.count in the table headings.</P> <P>Even when I generate the searches with Splunk I get no data</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/6263i57FE4060047C39F7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Tue, 18 Dec 2018 15:49:40 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440049#M76738 sboogaar 2018-12-18T15:49:40Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440050#M76739 <P>@sboogaar</P> <P>Can you please share the sample JSON event??</P> Tue, 18 Dec 2018 17:06:00 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440050#M76739 kamlesh_vaghela 2018-12-18T17:06:00Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440051#M76740 <P>Does splunk create a field name <CODE>gauges.service.mesosphere.marathon.leaderDuration.count</CODE> similar to what it has created where it showed you the contents in the table. </P> Tue, 18 Dec 2018 17:21:34 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440051#M76740 macadminrohit 2018-12-18T17:21:34Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440052#M76741 <P>@macadminrohit Yes see the last image.</P> Wed, 19 Dec 2018 07:55:46 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440052#M76741 sboogaar 2018-12-19T07:55:46Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440053#M76742 <P>@kamlesh_vaghela It is 34k characters long and contains private data so I can not share it, if you tell me what you want to check I will try to provide that information.</P> Wed, 19 Dec 2018 08:52:20 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440053#M76742 sboogaar 2018-12-19T08:52:20Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440054#M76743 <P>@sboogaar<BR /> I have a doubt regarding below configurations. It might be hit in your event. Can you please reconfigure limits.conf if required and check again.</P> <PRE><CODE>extraction_cutoff = &lt;integer&gt; * For extract-all spath extraction mode, only apply extraction to the first &lt;integer&gt; number of bytes. * Default: 5000 </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bspath.5D">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bspath.5D</A></P> <PRE><CODE>limit = &lt;integer&gt; * The maximum number of fields that an automatic key-value field extraction (auto kv) can generate at search time. * If search-time field extractions are disabled (KV_MODE=none in props.conf) then this setting determines the number of index-time fields that will be returned. * The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype', 'linecount', 'splunk_server', and 'splunk_server_group' do not count against this limit and will always be returned. * Increase this setting if, for example, you have indexed data with a large number of columns and want to ensure that searches display all fields from the data. * Default: 100 </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D">https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D</A></P> Wed, 19 Dec 2018 10:13:45 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440054#M76743 kamlesh_vaghela 2018-12-19T10:13:45Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440055#M76744 <P>Splunk has a limitation on how big a json it is able to extract. </P> <P>Let's verify that is not the issue. This should snip out all the nodes in the JSON before the leaderDuration node.</P> <PRE><CODE> index=dcos sourcetype="dcos:marathon:metrics" | head 1 | rex mode=sed field=_raw "s/(gauges:\s{)(.*)(service.mesosphere.marathon.leaderDuration)/\1\3/g" </CODE></PRE> <P>Verify that that code kills the earlier data. After that, try </P> <PRE><CODE>| table gauges.service.mesosphere.marathon.leaderDuration.count </CODE></PRE> <P>and</P> <PRE><CODE>| spath "gauges.service.mesosphere.marathon.leaderDuration.count" </CODE></PRE> Wed, 02 Jan 2019 17:38:10 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440055#M76744 DalJeanis 2019-01-02T17:38:10Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440056#M76745 <P>If you cannot provide a sanitized event of identical size, then there is no good way for us to help.</P> Thu, 03 Jan 2019 01:52:15 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440056#M76745 woodcock 2019-01-03T01:52:15Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440057#M76746 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/127939">@kamlesh_vaghela</a> changing the extraction_cutoff worked I did not need to update the limit. If you post it as an answer I will accept it.</P> Tue, 29 Sep 2020 22:38:37 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440057#M76746 sboogaar 2020-09-29T22:38:37Z https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440058#M76747 <P>Great @sboogaar, extraction_cutoff worked for you. <BR /> Glad to help you.</P> Thu, 03 Jan 2019 09:48:24 GMT https://community.splunk.com/t5/Getting-Data-In/Why-is-my-table-field-from-JSON-not-working-on-all-fields/m-p/440058#M76747 kamlesh_vaghela 2019-01-03T09:48:24Z