Solved: Splunk Search does not return all event data on a ...

mgarciar · ‎04-27-2016

I'm facing a very strange issue in my Splunk search. I have a data input coming from a REST API that returns a multi-level (nested) JSON response:

The entity node has several nodes, each node represents one access point. Each access point contains a field called ipAddress. This API is being called every 5 min and response stored in Splunk. When I do a search to get the list of IP Addresses from one event I don't get all of them. For some reason, is like Splunk is reading only the first seven nodes inside entity, because when I do:

source="rest://AccessPointDetailsAPI" | head 1

Splunk shows only the following values on the field (7 values although there are around 27😞

I'm using demo license if that matters. Why I cannot see all values ? If I change my search to look for a specific iPAddress on the API response but that is not on the Splunk list of field values I get no records.

It's like the search does not get all the values on the event for some fields.

Thanks and regards,

mgarciar · ‎04-28-2016

I think I understand the problem now. So the event is a big json and Splunk is not properly parsing all fields on the big json.

We need to tell splunk to parse the specific field we need with spath and specifying the field:

yoursearch | spath output=myIpAddress path=queryResponse.entity{}.accessPointDetailsDTO.ipAddress | table myIpAddress

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Spath

But I think also is important to analyze if maybe the data input needs to be divided in multiple events rather than a single huge event.

View solution in original post

mgarciar · ‎04-28-2016

I think I understand the problem now. So the event is a big json and Splunk is not properly parsing all fields on the big json.

We need to tell splunk to parse the specific field we need with spath and specifying the field:

yoursearch | spath output=myIpAddress path=queryResponse.entity{}.accessPointDetailsDTO.ipAddress | table myIpAddress

http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Spath

But I think also is important to analyze if maybe the data input needs to be divided in multiple events rather than a single huge event.

swapnil_wadkute · ‎04-29-2016

It works like a charm. Thank you 🙂

swapnil_wadkute · ‎04-28-2016

I am also using REST API to get data in Splunk and facing same problem. Did you get any solution on this?

mgarciar · ‎04-28-2016

I think so ... check my answer

richgalloway · ‎04-27-2016

It sounds like the data is not getting indexed properly. How are you getting the data into Splunk?

---
If this reply helps you, Karma would be appreciated.

mgarciar · ‎04-27-2016

I'm using the REST API app (https://splunkbase.splunk.com/app/1546/)

The event is showing all the data in splunk. Actually, if I do a search like this:

source="rest://PRIME_AccessPointDetailsAPI" | search "11.111.122.33"

Splunk will find that data, but if I do this

source="rest://PRIME_AccessPointDetailsAPI" | search queryResponse.entity{}.accessPointDetailsDTO.ipAddress="11.111.122.33"

I won't get any data back, unless the ipAddress value I use is on the list Splunk gives me on the field (second image)

Splunk Search does not return all event data on a field

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases