topic Re: Some fields are not extracted in json in Splunk Search

Some fields are not extracted in json

chandrasekhar46 — Tue, 14 Oct 2025 12:33:19 GMT

i have json event in that some fields not extracting properly when i am table i am not getting some field after message field ex event

here is event and table results

{
"log":{
"emmsite":"Test",
"destsite":null,
"side":"INB",
"datetime":"10/14/2025 19:14:05",
"interfaceid":"TI000",
"env":"dev",
"objectid":null,
"objecttype":"WS",
"objectname":"Cancel Method / Cancel Request",
"interface":"CancelAnalysisService",
"project":"unilims",
"message":"<ns0:ErrorReport xmlns:ns0=\http://www.tibco.com/pe/EngineTypes\>\n <StackTrace>Job-30001 Error in [Applications/CEP/Processes/In_ADRMAS_A.process/Parse XML]\nA validation occurred while parsing: validation error: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\" ({com.tibco.xml.validation}COMPLEX_E_UNEXPECTED_CONTENT) at /ns:ADRMAS03-4x[1]/CHILDREN[1]/E1ADRMAS[1]/item[1]/CHILDREN[1]/YE1AUSPM[1]\ncom.tibco.xml.validation.exception.UnexpectedElementException: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\"\n\tat com.tibco.xml.validation.state.dri",
"logtype":"Email",
"transactionid":null,
"ack_ai":"test.email@sanofi.com",
"ack_gp":" Order Cancellation Notice, Batch Reference No:"
}
}

search and results some fields are not extracted after message even json

index=test_index source="sandbox_test"
| table log.*

log.datetime log.destsite log.emmsite log.env log.interface log.interfaceid log.objectid log.objectname log.objecttype log.project log.side

10/14/2025 19:14:05

null

CEP

dev

CancelAnalysisService

TI000

null

Cancel Method / Cancel Request

utest

INB

10/14/2025 19:14:05

null

CEP

dev

CancelAnalysisService

TI000

null

Cancel Method / Cancel Request

utest

INB

Re: Some fields are not extracted in json

ITWhisperer — Tue, 14 Oct 2025 12:57:33 GMT

Please share your event in raw format in a code block using the </> formatting button.

Re: Some fields are not extracted in json

isoutamo — Tue, 14 Oct 2025 13:10:13 GMT

Also how long those events can be? There are defaults for auto extraction and those are not so big than you could expect.

Re: Some fields are not extracted in json

chandrasekhar46 — Wed, 15 Oct 2025 04:54:29 GMT

sorry i was miss some closing blocks here is full event

{
"log":{
"emmsite":"CEP",
"destsite":null,
"side":"INB",
"datetime":"10/14/2025 19:14:05",
"interfaceid":"TI000",
"env":"dev",
"objectid":null,
"objecttype":"WS",
"objectname":"Cancel Method / Cancel Request",
"interface":"CancelAnalysisService",
"project":"test",
"message":"<ns0:ErrorReport xmlns:ns0=\\http://www.tibco.com/pe/EngineTypes\\>\n <StackTrace>Job-30001 Error in [Applications/CEP/Processes/In_ADRMAS_A.process/Parse XML]\nA validation occurred while parsing: validation error: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\" ({com.tibco.xml.validation}COMPLEX_E_UNEXPECTED_CONTENT) at /ns:ADRMAS03-4x[1]/CHILDREN[1]/E1ADRMAS[1]/item[1]/CHILDREN[1]/YE1AUSPM[1]\ncom.tibco.xml.validation.exception.UnexpectedElementException: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\"\n\tat com.tibco.xml.validation.state.dri",
"logtype":"Email",
"transactionid":null,
"ack_ai":"test.emai@testdomain.com",
"ack_gp":" Batch Reference No:"
}
}

Re: Some fields are not extracted in json

PrewinThomas — Wed, 15 Oct 2025 06:07:50 GMT

@chandrasekhar46

Looks like Splunk’s auto JSON extraction is interrupted by the long/escaped message field. Are you using spath in your search?

Can you try using spath

| spath | table log.datetime log.emmsite log.env log.interface log.interfaceid log.objectname log.objecttype log.project log.side log.logtype log.ack_ai log.ack_gp

or target the specific fields you need

| spath path=log.logtype | spath path=log.transactionid | spath path=log.ack_ai | spath path=log.ack_gp

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

Re: Some fields are not extracted in json

ITWhisperer — Wed, 15 Oct 2025 07:31:02 GMT

Is this really what your event looks like? I would have expected the namespace to have escaped double quotes, not escaped backslashes?

Please share your raw event is a code block to prevent any undue reformatting of the data.

Re: Some fields are not extracted in json

yuanliu — Thu, 16 Oct 2025 05:20:39 GMT

Unless your shared event is butchered by your sharing method, it is NOT a valid JSON object. You can test this with Python's json.tool module

python3 -mjson.tool <<<'<your event text>'

json.tool will tell you that the message is incorrectly quoted as @ITWhisperer suggests: "Invalid \escape: line 14 column 39 (char 304)". When event is not valid, of course Splunk will butcher extraction. (I have also tested with spath - it cannot extract all fields.)

If you have sanitized the sample event, make sure you preserve JSON syntax precisely. Share in a code box, not as plain text. Otherwise you need to examine your ingestion, even question your developers about the original content.