Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Unexpected results with field values - Splunk Enterprise

akarivaratharaj
Communicator
‎05-23-2024 02:10 AM

With some of the events, we are facing the unexpected format of the query results. Actually in the raw event there is no issue at all, and each field is showing their own values. But when it is queried and displayed in the statistics section as results, the values of few fields are displaying incorrectly.

Usually the search results show key-values. But with some events, the search results are showing as "fieldname1=fieldname1=value" and in some cases "fieldname1=fieldname3=value". 

Example1: Request_id=Request_id=12345

(Expected to be -> "Request_id=12345")

Example2: Parent_id=message_id=456

(Expected to be -> "Parent_id=321")

Example3: Parent_id=category=unknown

(Expected to be -> "Parent_id=321")

Is this related with parser or something else? We are unable to find what could be the issue lying over here.

Could anyone please help us on fixing this issue at the earliest?

Labels (1)
Labels
0 Karma
Reply

akarivaratharaj
Communicator
‎01-05-2025 08:45 PM

This issue is resolved after making few changes to props.conf where the field extraction is set.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 02:17 AM

It looks to like you either have a problem with your data (raw events), your ingest config e.g. transforms.conf or your search query. Unfortunately, since you have shared none of these, it is rather difficult to offer anything more constructive.

0 Karma
Reply

akarivaratharaj
Communicator
‎05-23-2024 03:41 AM

If I run a search query, there is no issue with raw events. From the Events tab, everything looks in perfect format and can't say that there is a Data quality issue in the events.

Only when this is visualised from statistics tab I could see this. Also this is happening only with some events in the results set. I have attached the screenshot of the normal results and the results with Data Quality issue.

Expected results with Request Id and other fields.

akarivaratharaj_0-1716459479128.png

But what it is displaying (Refer the highlighted rows)

akarivaratharaj_3-1716460402285.png

 

Here is the event of one of the request ids where the key value pair is as expected format

akarivaratharaj_4-1716460839107.png

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 03:47 AM

What is the search?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 03:48 AM

How are the fields extracted?

0 Karma
Reply

akarivaratharaj
Communicator
‎05-23-2024 03:53 AM

I am using just the table command

index=main host=* sourcetype=* source=* | table _time, Request_id, Future_id

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 03:54 AM

So it looks like it is to do with how the fields are extracted. Please can you share these details?

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 03:58 AM

Also you shared (a picture of) an event which works, but not one which doesn't. Please can you share the raw text of a "failing" event in a code block (rather than a picture) - you can obfuscate any sensitive details as appropriate.

0 Karma
Reply

akarivaratharaj
Communicator
‎05-23-2024 04:02 AM

Actually I have shared picture of the raw event of the failed ones only (just masked the confidential fields). They look similar to the other events which work.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 04:14 AM

So it looks like it is to do with how the fields are extracted. Please can you share these details?

0 Karma
Reply

akarivaratharaj
Communicator
‎05-23-2024 04:24 AM

I have observed one more thing with these failed events. In the event section, usually at the end of each event, the default fields like host, sourcetype, etc., will be appended and displayed.

Similarly, in addition to those default fields, I could see the Request_ID field is also displayed in that section after each event. In that place I could see the format of Request_ID is in unexpected form.

Please check the below screenshot (After the field CT=1, the section of default fields is shown)

akarivaratharaj_0-1716463332683.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-23-2024 05:07 AM

This is showing that the fields have been extracted incorrectly.

Yet again I ask if you could please share your configurations which are being used to extract the fields for this sourcetype - this is likely to be where your problem lies, so if you want a resolution, you are going to have to give us more information.

0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Top