Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search on nested fields not returning the right results?

rxvichi
Loves-to-Learn Everything
‎05-01-2023 07:44 AM

The search which is fetching based on one of the nested fields "labels.errorCode" does not return the same results,query returning the wrong number of resultsquery returning the wrong number of results

This search below returns the right results. But we would like to search based on the field labels.errorCode.

query returning the right number of resultsquery returning the right number of results

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-01-2023 09:11 PM

Your searches are different - one searches labels.errrorCode=9001 and the other searches with other search strings. Why is 29 results in your first search "wrong" - what is wrong?

Is it returning 29 results that do NOT have labels.errorCode=9001 - you have redacted the data in that, so I can't know

Is 154,465 results the correct number of results which contain labels.errorCode=9001?

 

0 Karma
Reply

rxvichi
Loves-to-Learn Everything
‎05-02-2023 07:19 AM

Sorry I made it a bit confusing. The first search result does not return the values returned in the second search result even though the second search result has labels.errorCode=9001. The first search does not return all the values it just returns a subset. Also the redacted data is the same in both queries.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-02-2023 05:43 PM

Are the JSON fields being auto extracted in all cases and what is the length of the JSON data? Best thing to diagnose is to focus on a single event that you can see has errorCode=9001, but is not found in the search and understand why that event is not found.

If can be that the field does not exist (i.e. it is not a Splunk field, as opposed to it not existing in the data) prior to the search.

When you have a single search result that does not work, look at the extracted field table on the left and see what fields Splunk thinks it has.

 

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...