- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Filter fight for sourcetype not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have a sourcetype and I am trying to filter and everytime I do it shows not events. But I know that there are events.
In splunk it is showing that we have field called Target
portal.office.com 2,456 36.374%
api-gateway.drcedirect.com 1,744 25.829%
campus.fultonschools.org 1,624 24.052%
10.204.7.1 580 8.59%
10.202.5.86 348 5.154%
But when I try and filter on one of the targets it shows no events and says no results found.
This is the code that I am using
index=uberagent sourcetype=uberAgent:Script:NetworkHops Target="api-gateway.drcedirect.com"
This is a sample of the data
{
"TestName":"",
"IpAddress":"10.255.255.40 10.202.96.31",
"Target": "api-gateway.drcedirect.com",
"HopsNum":"15",
"HopName":"50.58.190.47",
"ASN":"AS394714",
"ASNOwner":"DRC ",
"LossPercent":"0.0%",
"HopIP":"50.58.190.47",
"AvgRTT":"41",
"MinRTT":"41",
"MaxRTT":"43"
}
Any help would be great
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are dealing with JSON data. You have two solutions for your problem.
1 - If your custom sourcetype contains JSON indexed extractions, then Splunk parses it immediately and you can it search for your key-value pair.
2 - The problem you may be facing is that you are using KV_MODE=auto, so if you change it to json in your sourcetype, you'll be fine.
Let me know if this helped you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You are dealing with JSON data. You have two solutions for your problem.
1 - If your custom sourcetype contains JSON indexed extractions, then Splunk parses it immediately and you can it search for your key-value pair.
2 - The problem you may be facing is that you are using KV_MODE=auto, so if you change it to json in your sourcetype, you'll be fine.
Let me know if this helped you
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@jgillman,
Can you change the search mode to verbose and try if it returns events for
index=uberagent sourcetype=uberAgent:Script:NetworkHops
If yes, can you try
index=uberagent sourcetype=uberAgent:Script:NetworkHops Target="api-gateway*"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not sure if this is the correct answer but I did this and it worked.
| spath Target | search Target="10.202.5.86"
If there is a better way please let me know
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Alright, that indicates that your events were not extracted from json during indexing. Search time extraction using spath also works fine.
See reference : https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/SearchReference/spath
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
