https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329503#M98056 <P>@nawazns5038, can you elaborate more on your issue. What is the data you are looking at and What you click and which search runs by default. Community members will be able to assist you better if there was more detail!</P> Thu, 12 Apr 2018 19:57:58 GMT niketn 2018-04-12T19:57:58Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329502#M98055 <P>Hi,</P> <P>We are using JSON data and the field extractions are done already. So we no need to use the spath command. But when we click on raw data and add it to the search the spath command is automatically invoked. How can we correct that, the spath command takes a lot of time and is not needed in our case. </P> <P>Thanks,</P> Thu, 12 Apr 2018 18:21:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329502#M98055 nawazns5038 2018-04-12T18:21:14Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329503#M98056 <P>@nawazns5038, can you elaborate more on your issue. What is the data you are looking at and What you click and which search runs by default. Community members will be able to assist you better if there was more detail!</P> Thu, 12 Apr 2018 19:57:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329503#M98056 niketn 2018-04-12T19:57:58Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329504#M98057 <P>sure..</P> <P>{<BR /><BR /> action: xxxxxxxx<BR /><BR /> dnsQName: xxxxxxx<BR /> dstIPv4: xxxxxxxxx<BR /> dstPort: xxxxxxxxx<BR /> fileMd5: xxxxxxxxxxxxxxxxxxxx<BR /> localEndpoint: xxxxxxx<BR /> pGuid: xxxxxxxxxxxx<BR /><BR /> pName: xxxxxxxxxx <BR /> pid: xxxxxxxxxxx<BR /> proto: TCP<BR /><BR /> protoVersion: xxxxxxxxx<BR /> }</P> <P>That is the example event we are having, suppose if we click on TCP and say add to search, it will not add "proto=TCP" to the search , instead it will do this,</P> <P><CODE>index=abcd | spath proto | search proto=TCP</CODE></P> <P>where you can see the spath command invoked and it takes a lot of time for the completion and is not necessary in our case where the field values are already extracted. </P> <P>We have a lot of users and some random users coming and in and going, so better to disable the feature than intimating everyone </P> Fri, 13 Apr 2018 21:14:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329504#M98057 nawazns5038 2018-04-13T21:14:43Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329505#M98058 <P>hmmm this looks like some issue with index time - </P> <P>Can you try setting the follwoing<BR /> indexed_extractions=JSON or KV_MODE=JSON in the props.conf file<BR /> I suspect this is missing</P> <P>Refer spath doc here - <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath" target="_blank">http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath</A><BR /> Sectionm Alternative to the spath command</P> Tue, 29 Sep 2020 19:02:26 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329505#M98058 Sukisen1981 2020-09-29T19:02:26Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329506#M98059 <P>@nawazns5038, as suggested by @Sukisen1981, please share your props.conf used the JSON data.<BR /> You should try the following settings:</P> <PRE><CODE>INDEXED_EXTRACTIONS=json KV_MODE=none </CODE></PRE> <P>I was able to search directly by field names upon drilldown unlike the spath command.</P> <P>Also is the drilldown from raw search or is it from existing table? Is it possible that the query that populates the table is using spath and your drilldown is on top of that query rather than raw events?</P> Sun, 15 Apr 2018 16:25:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329506#M98059 niketn 2018-04-15T16:25:40Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329507#M98060 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/182782">@Sukisen1981</a> , <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201110">@niketn</a>,</P> <P>[json_time]<BR /> SHOULD_LINEMERGE = false<BR /> TIME_FORMAT =%F %T.%3N<BR /> TIME_PREFIX =time\":\"<BR /> MAX_TIMESTAMP_LOOKAHEAD = 25<BR /> TRUNCATE = 0<BR /> TZ = UTC</P> <H1>INDEXED_EXTRACTIONS = json</H1> <P>NO_BINARY_CHECK=true<BR /> KV_MODE = none<BR /> LINE_BREAKER = ([\r\n]+){<BR /> AUTO_KV_JSON = false</P> <P>The above is the props.conf begin used and I don't think we need to use <CODE>INDEXED_EXTRACTIONS=json</CODE> as it may cause double extractions of the fields, as mentioned the field values are extracted automatically, just by using above props.conf. </P> <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/201110">@niketn</a> it is coming from the _raw events itself, </P> <P>You can search for an index .... like index=abcd. After the _raw events are displayed you can chose a value and add to the search it invokes the spath automatically. </P> Tue, 29 Sep 2020 19:02:46 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329507#M98060 nawazns5038 2020-09-29T19:02:46Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329508#M98061 <P>does the following search work?<BR /> <CODE>index=abcd proto=TCP</CODE><BR /> If so there may not be a problem. The behavior you are describing, with spath being added to the search, is the default behavior when Splunk detects JSON or XML events. If there is a way to turn it off, you may not want to as it will turn off the behavior for all JSON or XML inputs. </P> Tue, 17 Apr 2018 13:53:43 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329508#M98061 cstump_splunk 2018-04-17T13:53:43Z https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329509#M98062 <P>we don't need that to any of the inputs all the data sources are straight forward with fields extracted. </P> <P>Do you know how to turn the default Splunk feature off ??</P> Tue, 17 Apr 2018 23:13:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-not-automatically-invoke-the-spath-command-in-raw-data/m-p/329509#M98062 nawazns5038 2018-04-17T23:13:31Z