Splunk Cloud Platform
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Splunk Platform
- :
- Splunk Cloud Platform
- :
- Re: What would cause a single json attribute to no...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smahoney
Path Finder
08-05-2020
08:03 AM
Recently I noticed that an important field is not being auto extracted with the _json sourcetype while all other attributes are still being extracted as fields just fine. In the example below, the Properties.CorrelationId is not available and attempting to run stats on it produces no results. This has always worked, what would cause this?
{
"Level":"Error",
"MessageTemplate":"SPC Fulfillment controller has reported an error with message: [{httpResponseMessage}], code: [{httpResponseCode}] and status code [{httpResponseStatusCode}]",
"RenderedMessage":"SPC Fulfillment controller has reported an error with message: [\"Server will not process, error in request. SKU not found [1105716399999].\"], code: [\"015-002-017\"] and status code [400]",
"Properties":{
"httpResponseMessage":"Server will not process, error in request. SKU not found [1105716399999].",
"httpResponseCode":"015-002-017",
"httpResponseStatusCode":400,
"EndpointVersion":"v2",
"SourceContext":"SPC.Services.Fulfillment.API.Controllers.OrdersController",
"ApplicationName":"fabric:/spc/fulfillment",
"ApplicationTypeName":"SPC.Services.Fulfillment",
"CodePackageVersion":"2.81.0.2020072462946-08d393d6",
"ServiceName":"fabric:/spc/fulfillment/API",
"ServiceTypeName":"SPC.Services.Fulfillment.APIType",
"InstanceId":132406486505333708,
"PartitionId":"898c1f6a-ab4e-4c96-81f4-da999f2eb0f1",
"ServiceManifestVersion":"2.81.0.2020072462946-08d393d6",
"NodeName":"_sbp01-1FE_3",
"CorrelationId":"abb55590-1527-f9c2-d919-8ea586f1083a",
"Environment":"p01-1"
}
}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smahoney
Path Finder
08-05-2020
08:16 AM
Ok, I figured this out, but its odd as hadn't seen the impact anywhere until recently. There was a field alias that renamed an extracted correlationId to Properties.CorrelationId and the checkbox somehow got marked to overwrite field value, which was not the case earlier. that field is now available.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
smahoney
Path Finder
08-05-2020
08:16 AM
Ok, I figured this out, but its odd as hadn't seen the impact anywhere until recently. There was a field alias that renamed an extracted correlationId to Properties.CorrelationId and the checkbox somehow got marked to overwrite field value, which was not the case earlier. that field is now available.
Get Updates on the Splunk Community!
See your relevant APM services, dashboards, and alerts in one place with the updated ...
As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Index This | What goes away as soon as you talk about it?
May 2025 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with this month’s ...
What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025
This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
