Splunk Search

Filter fight for sourcetype not working

jgillman
Explorer

We have a sourcetype and I am trying to filter and everytime I do it shows not events. But I know that there are events.

In splunk it is showing that we have field called Target
portal.office.com 2,456 36.374%
api-gateway.drcedirect.com 1,744 25.829%
campus.fultonschools.org 1,624 24.052%
10.204.7.1 580 8.59%

10.202.5.86 348 5.154%

But when I try and filter on one of the targets it shows no events and says no results found.

This is the code that I am using

index=uberagent sourcetype=uberAgent:Script:NetworkHops Target="api-gateway.drcedirect.com"

This is a sample of the data
{
"TestName":"",
"IpAddress":"10.255.255.40 10.202.96.31",
"Target": "api-gateway.drcedirect.com",
"HopsNum":"15",
"HopName":"50.58.190.47",
"ASN":"AS394714",
"ASNOwner":"DRC ",
"LossPercent":"0.0%",
"HopIP":"50.58.190.47",
"AvgRTT":"41",
"MinRTT":"41",
"MaxRTT":"43"
}

Any help would be great

Tags (1)
0 Karma
1 Solution

tiagofbmm
Influencer

You are dealing with JSON data. You have two solutions for your problem.

1 - If your custom sourcetype contains JSON indexed extractions, then Splunk parses it immediately and you can it search for your key-value pair.
2 - The problem you may be facing is that you are using KV_MODE=auto, so if you change it to json in your sourcetype, you'll be fine.

Let me know if this helped you

View solution in original post

tiagofbmm
Influencer

You are dealing with JSON data. You have two solutions for your problem.

1 - If your custom sourcetype contains JSON indexed extractions, then Splunk parses it immediately and you can it search for your key-value pair.
2 - The problem you may be facing is that you are using KV_MODE=auto, so if you change it to json in your sourcetype, you'll be fine.

Let me know if this helped you

renjith_nair
Legend

@jgillman,
Can you change the search mode to verbose and try if it returns events for

index=uberagent sourcetype=uberAgent:Script:NetworkHops

If yes, can you try

 index=uberagent sourcetype=uberAgent:Script:NetworkHops Target="api-gateway*"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

jgillman
Explorer

I am not sure if this is the correct answer but I did this and it worked.

| spath Target | search Target="10.202.5.86"

If there is a better way please let me know

0 Karma

renjith_nair
Legend

Alright, that indicates that your events were not extracted from json during indexing. Search time extraction using spath also works fine.

See reference : https://docs.splunk.com/Documentation/SplunkCloud/7.2.7/SearchReference/spath

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Get Updates on the Splunk Community!

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...