Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search on nested fields not returning the right results?

rxvichi
Loves-to-Learn Everything
‎05-01-2023 07:44 AM

The search which is fetching based on one of the nested fields "labels.errorCode" does not return the same results,query returning the wrong number of resultsquery returning the wrong number of results

This search below returns the right results. But we would like to search based on the field labels.errorCode.

query returning the right number of resultsquery returning the right number of results

Labels (1)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-01-2023 09:11 PM

Your searches are different - one searches labels.errrorCode=9001 and the other searches with other search strings. Why is 29 results in your first search "wrong" - what is wrong?

Is it returning 29 results that do NOT have labels.errorCode=9001 - you have redacted the data in that, so I can't know

Is 154,465 results the correct number of results which contain labels.errorCode=9001?

 

0 Karma
Reply

rxvichi
Loves-to-Learn Everything
‎05-02-2023 07:19 AM

Sorry I made it a bit confusing. The first search result does not return the values returned in the second search result even though the second search result has labels.errorCode=9001. The first search does not return all the values it just returns a subset. Also the redacted data is the same in both queries.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎05-02-2023 05:43 PM

Are the JSON fields being auto extracted in all cases and what is the length of the JSON data? Best thing to diagnose is to focus on a single event that you can see has errorCode=9001, but is not found in the search and understand why that event is not found.

If can be that the field does not exist (i.e. it is not a Splunk field, as opposed to it not existing in the data) prior to the search.

When you have a single search result that does not work, look at the extracted field table on the left and see what fields Splunk thinks it has.

 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...