Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

String field value is working only when spath is used

Poojitha
Communicator
‎03-10-2025 12:07 AM

Hi All,

I need help in knowing below.

There is a field named lvl, which is of type=string. 

Raw Data : 

 

{  
    "time": "2025-03-10T06:20:29", 
    "corr": "3hgewhrger2346324632434gjhf", 
    "dpnt": "test.dpmt", 
    "appn": "test - appn",
     "lvl": "Warn", 
     "mod": "test.mod", 
     "tid": "171",
     "oper": "SetTestContext",
     "rslt": "Succeeded", 
     "msg": "test msg",
    "inst": "test inst", 
    "x-trace-id": "Root=1-65325bhg-test3;Sampled=1" 
}

 

Though lvl is of type string, if I try | search lvl="Warn" or lvl=Warn, it renders no result. Instead if I do
 | spath  lvl and then | search lvl="Warn" or  lvl=Warn it is showing result. Whereas for other fields like dpnt which is again of type string, it is working fine with | search dpnt="test.dpmt". 


I understand spath works on structured data format like json and xml but not getting what is happening in this case. Why is lvl string field not working as expected ? Please can anyone shade some light on this. 

Thanks,
PNV

Labels (1)
Labels
Tags (2)
0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 12:43 AM

@gcusello  : Thanks for the response. Agreed on the format. But why lvl and dpnt field are behaving different ?
|search lvl="Warn" works only with spath whereas | search dpnt="test.dpmt" works even though I do not use spath on that.


0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 12:49 AM

Hi @Poojitha ,

I don't really know!

which fields are listed in in tersting fields if you run the search without filters?

do you see all the fields?

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 01:31 AM

@gcusello I tested again. 

Yes,  I could see  all of them under interesting fields (all fields in raw data).

Only lvl=<value> is not working if I add it in first line of search together with sourcetype and index or if I use with search command. Rest of the fields are working fine without spath.

Regards,
PNV

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 02:22 AM

Hi @Poojitha ,

try to click on the value you want for lv1 using the interesting fields panel and see how it displays this filter.

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 03:13 AM

Poojitha_0-1741601667665.png

 

 

@gcusello  yes sir, I tried.  I clicked on lvl --> Info value. It is getting filtered as  lvl=Info but now no result though there is result for lvl="Info"

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 03:16 AM

Hi @Poojitha ,

there is no reason for this behavior.

If you can, open a ticket to Splunk Support.

Ciao.

Giuseppe

0 Karma
Reply

Poojitha
Communicator
‎03-10-2025 03:51 AM

@gcusello Thanks sir. I will do same. 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎03-10-2025 12:34 AM

Hi @Poojitha ,

you have a json format file.

You can extract fields in three ways:

  • using spath (as you did),
  • adding INDEXED_EXTRACTIONS=JSON to your props.conf (the best solution),
  • using regex (to use only if you haven't any other solution).

So, try the second option.

Ciao.

Giuseppe

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...