Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unable to view value from events

ws
Path Finder
‎04-22-2025 01:46 AM

Hi,

Unsure what is the root cause as i was trying to do some minor adjustment to ignore the [ ] at the transforms.conf.

Previously I'm able to view the fields like Id Name and their value but currently nothing shows.

I tried to re-do the props.conf, transforms.conf and inputs.conf by adding parameter by parameter and it still didn't work.

ws_1-1745311331162.png

ws_2-1745311635534.png

 

 

Labels (5)
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-22-2025 02:04 AM

Hi @ws 

The reason you arent getting the fields listed is because it isnt being parsed as valid JSON.

To remove the trailing "]" try the following LINE_BREAKER

LINE_BREAKER=(\[)|(([\r\n]+)\s*{(?=\s*"attribute":\s*{))|(\])

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

ws
Path Finder
‎04-22-2025 05:10 AM

Update

I suspect this might be a Splunk-related issue, possibly due to the version I'm currently using (9.3.1).

I spun up a new server for quick testing and reused the same configuration parameters from my previous setup. Mainly, the props.conf, transforms.conf, and inputs.conf.

Interestingly, everything seems to be working fine on the new server, even though the configuration is identical to the old one.

The only difference I can observe is in the data ingestion flow. initially, I ingested a set of JSON array entries in one format, and later ingested another set with a different structure containing more fields.

So far, it all appears to be working as expected.

However, when I tried the same method on my previous server, it didn’t work as expected.

This is puzzling since both servers are using the same configuration files and setup. The only noticeable difference was the data ingestion flow on the new server, I ingested one format of JSON array first, followed by another with more fields, and it worked fine. But replicating this exact process on the older server doesn’t yield the same results.

0 Karma
Reply

ws
Path Finder
‎04-22-2025 02:24 AM

Hi @livehybrid, I'm still under to get the fields listed even updating the props.conf.

[preprocess_case]
TRANSFORMS-setsourcetype = sourcetype_router, sourcetype_router2
SHOULD_LINEMERGE=false
LINE_BREAKER=(\[)|(([\r\n]+)\s*{(?=\s*"attribute":\s*{))|(\])
TRUNCATE=100000
TIME_PREFIX="ClosedDate":\s*"

[too_small]
PREFIX_SOURCETYPE = false

ws_0-1745313736451.png

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...