Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my table field from JSON not working on all fields?

sboogaar
Path Finder
‎12-18-2018 07:49 AM

We are working with the following JSON generated by a dcos/marathon api:

alt text

When I run:

index=dcos sourcetype="dcos:marathon:metrics" | table gauges.api.mesosphere.marathon.core.event.impl.stream.HttpEventStreamActorMetrics.number-of-streams.count

I get a nice table with all the expected numbers.

But, when I run: 

index=dcos sourcetype="dcos:marathon:metrics" | table gauges.service.mesosphere.marathon.leaderDuration.count

All the fields are empty.

Why can I see the correct values for "gauges.api.mesosphere.marathon.core.event.impl.stream.HttpEventStreamActorMetrics.number-of-streams.count" But can not see it for gauges.service.mesosphere.marathon.leaderDuration.count
I also tried to get the data with spath like:

index=dcos sourcetype="dcos:marathon:metrics" | spath "gauges.service.mesosphere.marathon.leaderDuration.count" |  table  *

But again, the values are empty even though I can see gauges.service.mesosphere.marathon.leaderDuration.count in the table headings.

Even when I generate the searches with Splunk I get no data

alt text

Tags (2)
gauuges.png
Preview file
60 KB
marathon-data.png
Preview file
94 KB
0 Karma
Reply

DalJeanis
Legend
‎01-02-2019 09:38 AM

Splunk has a limitation on how big a json it is able to extract.

Let's verify that is not the issue. This should snip out all the nodes in the JSON before the leaderDuration node.

 index=dcos sourcetype="dcos:marathon:metrics" 
| head 1
| rex mode=sed field=_raw "s/(gauges:\s{)(.*)(service.mesosphere.marathon.leaderDuration)/\1\3/g"

Verify that that code kills the earlier data. After that, try 

| table gauges.service.mesosphere.marathon.leaderDuration.count

and

|  spath "gauges.service.mesosphere.marathon.leaderDuration.count"
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-19-2018 02:13 AM

@sboogaar
I have a doubt regarding below configurations. It might be hit in your event. Can you please reconfigure limits.conf if required and check again.

extraction_cutoff = <integer>
* For extract-all spath extraction mode, only apply extraction to the first
  <integer> number of bytes.
* Default: 5000

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bspath.5D

limit = <integer>
* The maximum number of fields that an automatic key-value field extraction
  (auto kv) can generate at search time.
* If search-time field extractions are disabled (KV_MODE=none in props.conf)
  then this setting determines the number of index-time fields that will be
  returned.
* The summary fields 'host', 'index', 'source', 'sourcetype', 'eventtype',
  'linecount', 'splunk_server', and 'splunk_server_group' do not count against
  this limit and will always be returned.
* Increase this setting if, for example, you have indexed data with a large
  number of columns and want to ensure that searches display all fields from
  the data.
* Default: 100

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Limitsconf#.5Bkv.5D

0 Karma
Reply

sboogaar
Path Finder
‎01-03-2019 01:12 AM

@kamlesh_vaghela changing the extraction_cutoff worked I did not need to update the limit. If you post it as an answer I will accept it.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎01-03-2019 01:48 AM

Great @sboogaar, extraction_cutoff worked for you.
Glad to help you.

0 Karma
Reply

macadminrohit
Contributor
‎12-18-2018 09:21 AM

Does splunk create a field name gauges.service.mesosphere.marathon.leaderDuration.count similar to what it has created where it showed you the contents in the table.

0 Karma
Reply

sboogaar
Path Finder
‎12-18-2018 11:55 PM

@macadminrohit Yes see the last image.

0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎12-18-2018 09:06 AM

@sboogaar

Can you please share the sample JSON event??

0 Karma
Reply

sboogaar
Path Finder
‎12-19-2018 12:52 AM

@kamlesh_vaghela It is 34k characters long and contains private data so I can not share it, if you tell me what you want to check I will try to provide that information.

0 Karma
Reply

woodcock
Esteemed Legend
‎01-02-2019 05:52 PM

If you cannot provide a sanitized event of identical size, then there is no good way for us to help.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
Top