Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my table field from JSON not working on all fields?

sboogaar
Path Finder
‎12-18-2018 07:49 AM

We are working with the following JSON generated by a dcos/marathon api:

alt text

When I run:

index=dcos sourcetype="dcos:marathon:metrics" | table gauges.api.mesosphere.marathon.core.event.impl.stream.HttpEventStreamActorMetrics.number-of-streams.count

I get a nice table with all the expected numbers.

But, when I run: 

index=dcos sourcetype="dcos:marathon:metrics" | table gauges.service.mesosphere.marathon.leaderDuration.count

All the fields are empty.

Why can I see the correct values for "gauges.api.mesosphere.marathon.core.event.impl.stream.HttpEventStreamActorMetrics.number-of-streams.count" But can not see it for gauges.service.mesosphere.marathon.leaderDuration.count
I also tried to get the data with spath like:

index=dcos sourcetype="dcos:marathon:metrics" | spath "gauges.service.mesosphere.marathon.leaderDuration.count" |  table  *

But again, the values are empty even though I can see gauges.service.mesosphere.marathon.leaderDuration.count in the table headings.

Even when I generate the searches with Splunk I get no data

alt text

Tags (2)
gauuges.png
Preview file
60 KB
marathon-data.png
Preview file
94 KB
0 Karma
Reply

DalJeanis
Legend
‎01-02-2019 09:38 AM

Splunk has a limitation on how big a json it is able to extract.

Let's verify that is not the issue. This should snip out all the nodes in the JSON before the leaderDuration node.

 index=dcos sourcetype="dcos:marathon:metrics" 
| head 1
| rex mode=sed field=_raw "s/(gauges:\s{)(.*)(service.mesosphere.marathon.leaderDuration)/\1\3/g"

Verify that that code kills the earlier data. After that, try 

| table gauges.service.mesosphere.marathon.leaderDuration.count

and

|  spath "gauges.service.mesosphere.marathon.leaderDuration.count"
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2018 02:13 AM

@sboogaar
I have a doubt regarding below configurations. It might be hit in your event. Can you please reconfigure limits.conf if required and check again.

extraction_cutoff = <integer>
* For extract-all spath extraction mode, only apply extraction to the first
  <integer> number of bytes.
* Default: 5000

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bspath.5D

limit = <integer>
* The maximum number of fields that an automatic key-value field extraction
  (auto kv) can generate at search time.
* If search-time field extractions are disabled (KV_MODE=none in props.conf)
  then this setting determines the number of index-time fields that will be
  returned.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
  'linecount', 'splunk_server', and 'splunk_server_group' do not count against
  this limit and will always be returned.
* Increase this setting if, for example, you have indexed data with a large
  number of columns and want to ensure that searches display all fields from
  the data.
* Default: 100

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D

0 Karma
Reply

sboogaar
Path Finder
‎01-03-2019 01:12 AM

@kamlesh_vaghela changing the extraction_cutoff worked I did not need to update the limit. If you post it as an answer I will accept it.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-03-2019 01:48 AM

Great @sboogaar, extraction_cutoff worked for you.
Glad to help you.

0 Karma
Reply

macadminrohit
Contributor
‎12-18-2018 09:21 AM

Does splunk create a field name gauges.service.mesosphere.marathon.leaderDuration.count similar to what it has created where it showed you the contents in the table.

0 Karma
Reply

sboogaar
Path Finder
‎12-18-2018 11:55 PM

@macadminrohit Yes see the last image.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-18-2018 09:06 AM

@sboogaar

Can you please share the sample JSON event??

0 Karma
Reply

sboogaar
Path Finder
‎12-19-2018 12:52 AM

@kamlesh_vaghela It is 34k characters long and contains private data so I can not share it, if you tell me what you want to check I will try to provide that information.

0 Karma
Reply

woodcock
Esteemed Legend
‎01-02-2019 05:52 PM

If you cannot provide a sanitized event of identical size, then there is no good way for us to help.

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
li.common.scroll-to.top