Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Still having to "SPATH" despite "INDEXED_EXTRACTIONS = json" being true?

swangertyler
Path Finder
‎01-20-2023 12:44 PM

These two pieces of SPL return two different-looking tables. 

 

 

 

 

index=servicenow sourcetype=incident number=INC5181781 
| spath opened_at
| spath resolved_at
| table number, opened_at, resolved_at, number, _time

 

 

 

 

Will provide me with different results vs.

 

 

 

 

index=servicenow sourcetype=incident number=INC5181781 
| table number, opened_at, resolved_at, number, _time

 

 

 

 

In the one with "spath" the table has more values for those values for "opened_at" and "resolved_at". The same number of events are discovered, but the table makes it look like one event is "missing" dimensions.

Even if I do these two search, and compare the "Selected Fields" section on the left hand side, the one with spath has more "events" that have the values. 

 

In the props.conf file the "source" has the line

INDEXED_EXTRACTIONS = json


This may also be impacting my ability to search as well. It seems like I will not get complete results unless I do something like 

 

 

 

 

sourcetype=incident
|spath number
|spath category
|search number=INC5181781 category=Closed

 

 

 

 

I assume something is not configured as I expect it to be, and I am unsure where else to check.

Labels (2)
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎01-23-2023 12:02 PM

There are three separate methods of handling json data - spath, auto_kv and indexed extractions. And each of them names fields differently as far as I remember. auto_kv "flattens" the json structure and gives you only leaf field names whereas spath creates field names from the whole object path. I think indexed extractions produce something more similar to auto_kv but I'm not 100% sure - I don't use it very often.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎01-20-2023 02:06 PM

Can you share an example (sanitized) raw event?  It sounds like the event is not perfect JSON and so INDEXED_EXTRACTIONS is not extracting fields.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

swangertyler
Path Finder
‎01-23-2023 10:35 AM

When I put the _raw event into something like https://jsonlint.com/ it appears to be valid. However, I do know that a field in the original payload is a large text field, so it seems possible that something funny is happening. 

I'll see if I can sanitize an event and get it posted here. 

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...