Solved: Stream App for Stream: field parsing problem when ...

kwchang_splunk · ‎11-26-2015

Dear Stream Experts,

I have a field parsing problem when there are binary(?) src_content or dest_content as following image.
There is src_content and dest_content in _raw, but those fields are not parsed correctly by default.
All fields which appear after the binary src_content or dest_content seem to have problems.

And the web UI is also broken. I selected "List" view but displayed like "Raw" view.

I'm using Splunk App for Stream 6.4.1 on Splunk 6.3.1.
Thank you in advance.

vshcherbakov_sp · ‎11-30-2015

hi kwchang,

Seems like Splunk fails to parse this event, despite the event containing properly formatted JSON. I'd recommend opening a ticket in JIRA (SPL project)

View solution in original post

vshcherbakov_sp · ‎11-30-2015

hi kwchang,

Seems like Splunk fails to parse this event, despite the event containing properly formatted JSON. I'd recommend opening a ticket in JIRA (SPL project)

Stream App for Stream: field parsing problem when binary src_content or dest_content fields are there

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023