String field value is working only when spath is u...

Poojitha · ‎03-10-2025

Hi All,

I need help in knowing below.

There is a field named lvl, which is of type=string.

Raw Data :

{  
    "time": "2025-03-10T06:20:29", 
    "corr": "3hgewhrger2346324632434gjhf", 
    "dpnt": "test.dpmt", 
    "appn": "test - appn",
     "lvl": "Warn", 
     "mod": "test.mod", 
     "tid": "171",
     "oper": "SetTestContext",
     "rslt": "Succeeded", 
     "msg": "test msg",
    "inst": "test inst", 
    "x-trace-id": "Root=1-65325bhg-test3;Sampled=1" 
}

Though lvl is of type string, if I try | search lvl="Warn" or lvl=Warn, it renders no result. Instead if I do
| spath lvl and then | search lvl="Warn" or lvl=Warn it is showing result. Whereas for other fields like dpnt which is again of type string, it is working fine with | search dpnt="test.dpmt".

I understand spath works on structured data format like json and xml but not getting what is happening in this case. Why is lvl string field not working as expected ? Please can anyone shade some light on this.

Thanks,
PNV

Poojitha · ‎03-10-2025

@gcusello : Thanks for the response. Agreed on the format. But why lvl and dpnt field are behaving different ?
|search lvl="Warn" works only with spath whereas | search dpnt="test.dpmt" works even though I do not use spath on that.

gcusello · ‎03-10-2025

Hi @Poojitha ,

I don't really know!

which fields are listed in in tersting fields if you run the search without filters?

do you see all the fields?

Ciao.

Giuseppe

Poojitha · ‎03-10-2025

@gcusello I tested again.

Yes, I could see all of them under interesting fields (all fields in raw data).

Only lvl=<value> is not working if I add it in first line of search together with sourcetype and index or if I use with search command. Rest of the fields are working fine without spath.

Regards,
PNV

gcusello · ‎03-10-2025

Hi @Poojitha ,

try to click on the value you want for lv1 using the interesting fields panel and see how it displays this filter.

Ciao.

Giuseppe

Poojitha · ‎03-10-2025

@gcusello yes sir, I tried. I clicked on lvl --> Info value. It is getting filtered as lvl=Info but now no result though there is result for lvl="Info"

gcusello · ‎03-10-2025

Hi @Poojitha ,

there is no reason for this behavior.

If you can, open a ticket to Splunk Support.

Ciao.

Giuseppe

Poojitha · ‎03-10-2025

@gcusello Thanks sir. I will do same.

gcusello · ‎03-10-2025

Hi @Poojitha ,

you have a json format file.

You can extract fields in three ways:

using spath (as you did),
adding INDEXED_EXTRACTIONS=JSON to your props.conf (the best solution),
using regex (to use only if you haven't any other solution).

So, try the second option.

Ciao.

Giuseppe

String field value is working only when spath is used

other

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Are you a member of the Splunk Community?

String field value is working only when spath is used

other

CX Day is Coming!

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console