Solved: HTTP Event Collector: why my fields are not search...

sylim_splunk · ‎11-01-2017

I'm adding fields in my json format data like, below. The issue is, the search "index=myHEC *" returns data but "index=myHEC myType=Find_me " is not working.

{
"time": 1507522387,
"host": "myHostname",
"source": "mySource",
"event": {
"message": "Catch me if you can",
"severity": "INFO"
},
"fields": {
"myType": "Find_me"
}
}

Why is it happening and how can I make it work?

sylim_splunk · ‎11-01-2017

This happens as the field, "myType" is not part of the raw data and index time field extraction is applied. By default the fields in search is extracted from raw data but this myType=Find_me is not found in raw events - that is the reason for the symptom.
To make it work for the case use fields.conf
- https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf
- http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Aboutindexedfieldextraction

i.e)
[myType]
INDEXED=true

View solution in original post

sylim_splunk · ‎11-01-2017

This happens as the field, "myType" is not part of the raw data and index time field extraction is applied. By default the fields in search is extracted from raw data but this myType=Find_me is not found in raw events - that is the reason for the symptom.
To make it work for the case use fields.conf
- https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf
- http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Aboutindexedfieldextraction

i.e)
[myType]
INDEXED=true

HTTP Event Collector: why my fields are not searchable?

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Introducing Edge Processor: Next Gen Data Transformation

Take the 2021 Splunk Career Survey for $50 in Amazon Cash