Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

String field value is working only when spath is used

Poojitha
Communicator
‎03-10-2025 12:07 AM

Hi All,

I need help in knowing below.

There is a field named lvl, which is of type=string. 

Raw Data : 

 

{  
    "time": "2025-03-10T06:20:29", 
    "corr": "3hgewhrger2346324632434gjhf", 
    "dpnt": "test.dpmt", 
    "appn": "test - appn",
     "lvl": "Warn", 
     "mod": "test.mod", 
     "tid": "171",
     "oper": "SetTestContext",
     "rslt": "Succeeded", 
     "msg": "test msg",
    "inst": "test inst", 
    "x-trace-id": "Root=1-65325bhg-test3;Sampled=1" 
}

 

Though lvl is of type string, if I try | search lvl="Warn" or lvl=Warn, it renders no result. Instead if I do
 | spath  lvl and then | search lvl="Warn" or  lvl=Warn it is showing result. Whereas for other fields like dpnt which is again of type string, it is working fine with | search dpnt="test.dpmt". 


I understand spath works on structured data format like json and xml but not getting what is happening in this case. Why is lvl string field not working as expected ? Please can anyone shade some light on this. 

Thanks,
PNV

Labels (1)
Labels
Tags (2)
0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 12:43 AM

@gcusello  : Thanks for the response. Agreed on the format. But why lvl and dpnt field are behaving different ?
|search lvl="Warn" works only with spath whereas | search dpnt="test.dpmt" works even though I do not use spath on that.


0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 12:49 AM

Hi @Poojitha ,

I don't really know!

which fields are listed in in tersting fields if you run the search without filters?

do you see all the fields?

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 01:31 AM

@gcusello I tested again. 

Yes,  I could see  all of them under interesting fields (all fields in raw data).

Only lvl=<value> is not working if I add it in first line of search together with sourcetype and index or if I use with search command. Rest of the fields are working fine without spath.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 02:22 AM

Hi @Poojitha ,

try to click on the value you want for lv1 using the interesting fields panel and see how it displays this filter.

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 03:13 AM

Poojitha_0-1741601667665.png

 

 

@gcusello  yes sir, I tried.  I clicked on lvl --> Info value. It is getting filtered as  lvl=Info but now no result though there is result for lvl="Info"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 03:16 AM

Hi @Poojitha ,

there is no reason for this behavior.

If you can, open a ticket to Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 03:51 AM

@gcusello Thanks sir. I will do same. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 12:34 AM

Hi @Poojitha ,

you have a json format file.

You can extract fields in three ways:

  • using spath (as you did),
  • adding INDEXED_EXTRACTIONS=JSON to your props.conf (the best solution),
  • using regex (to use only if you haven't any other solution).

So, try the second option.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...
Top