Getting Data In

Why am I encountering a bug when accessing nested JSON field values?

responsys_cm
Builder

There seems to be a bug searching events with JSON data if the field names are nested.

For example: sourcetype=cmdb | rename data.ip_v4_address AS ip
This search works as expected

sourcetype=cmdb | eval ip=data.ip_v4

This search does not put any value in the ip field.

If, however, I create an alias for data.ip_v4, I can use eval to access the value of the aliased field.

I complained to my Splunk SE about this over a year ago and it still hasn't been fixed as of 7.1.1.

0 Karma
1 Solution

jtacy
Builder

I think the correct syntax for your second search is:

sourcetype=cmdb | eval ip='data.ip_v4'

The requirement for single quotes in this situation is stated at http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval under Syntax:

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks.

View solution in original post

jtacy
Builder

I think the correct syntax for your second search is:

sourcetype=cmdb | eval ip='data.ip_v4'

The requirement for single quotes in this situation is stated at http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Eval under Syntax:

If the expression references a field name that contains non-alphanumeric characters, it needs to be surrounded by single quotation marks.

responsys_cm
Builder

Boom! Thanks, jtacy!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...