Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

String field value is working only when spath is used

Poojitha
Communicator
‎03-10-2025 12:07 AM

Hi All,

I need help in knowing below.

There is a field named lvl, which is of type=string. 

Raw Data : 

 

{  
    "time": "2025-03-10T06:20:29", 
    "corr": "3hgewhrger2346324632434gjhf", 
    "dpnt": "test.dpmt", 
    "appn": "test - appn",
     "lvl": "Warn", 
     "mod": "test.mod", 
     "tid": "171",
     "oper": "SetTestContext",
     "rslt": "Succeeded", 
     "msg": "test msg",
    "inst": "test inst", 
    "x-trace-id": "Root=1-65325bhg-test3;Sampled=1" 
}

 

Though lvl is of type string, if I try | search lvl="Warn" or lvl=Warn, it renders no result. Instead if I do
 | spath  lvl and then | search lvl="Warn" or  lvl=Warn it is showing result. Whereas for other fields like dpnt which is again of type string, it is working fine with | search dpnt="test.dpmt". 


I understand spath works on structured data format like json and xml but not getting what is happening in this case. Why is lvl string field not working as expected ? Please can anyone shade some light on this. 

Thanks,
PNV

Labels (1)
Labels
Tags (2)
0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 12:43 AM

@gcusello  : Thanks for the response. Agreed on the format. But why lvl and dpnt field are behaving different ?
|search lvl="Warn" works only with spath whereas | search dpnt="test.dpmt" works even though I do not use spath on that.


0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 12:49 AM

Hi @Poojitha ,

I don't really know!

which fields are listed in in tersting fields if you run the search without filters?

do you see all the fields?

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 01:31 AM

@gcusello I tested again. 

Yes,  I could see  all of them under interesting fields (all fields in raw data).

Only lvl=<value> is not working if I add it in first line of search together with sourcetype and index or if I use with search command. Rest of the fields are working fine without spath.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 02:22 AM

Hi @Poojitha ,

try to click on the value you want for lv1 using the interesting fields panel and see how it displays this filter.

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 03:13 AM

Poojitha_0-1741601667665.png

 

 

@gcusello  yes sir, I tried.  I clicked on lvl --> Info value. It is getting filtered as  lvl=Info but now no result though there is result for lvl="Info"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 03:16 AM

Hi @Poojitha ,

there is no reason for this behavior.

If you can, open a ticket to Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 03:51 AM

@gcusello Thanks sir. I will do same. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 12:34 AM

Hi @Poojitha ,

you have a json format file.

You can extract fields in three ways:

  • using spath (as you did),
  • adding INDEXED_EXTRACTIONS=JSON to your props.conf (the best solution),
  • using regex (to use only if you haven't any other solution).

So, try the second option.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...