duplicate host field when _raw is json

schose · ‎01-13-2021

Hi all,

I'm having non-indexed-extracted json in events. When there is a json "host" field host, which is different from the indexed "host", then the search view is showing you 2 values for host in smart or verbose mode.

you can't work with the searchtime extracted json host field - clicking on it gives you no results - as host is an indexed field.
.. when you are doing a ... | stats count by host, then only "indextimehost" is reported back - as expected.

this behaviour differers from "normal" kv searchtime detection:

i found multiple posts regarding this like:

https://community.splunk.com/t5/Getting-Data-In/Duplicate-host-field-after-indexing-JSON-event/m-p/2...

unfortunately i'm not able to change the json field name at the source. Rewriting is also no good option for me.

This more looks like a display bug for me.. but drives the poweruser crasy.

best Regards,

Andreas

to4kawa · ‎01-15-2021

index=_internal | head 1 | fields _raw host
| eval _raw="{\"host\": \"your host\"}"
| spath

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Automatickey-valuefieldextractionsatsea...

In default, KV_MODE=auto. so json is extracted, so if the event has the same name, it will inevitably become.

index=_internal | head 1 | fields _raw host
| eval _raw="{\"host\": \"your host\"}"
| eval hostname=spath(_raw,"host")

how about this?

duplicate host field when _raw is json

field extraction

JSON

sourcetype

Index This | I’m short for "configuration file.” What am I?

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Your Guide to SPL2 at .conf24!