Solved: Re: HTTP Event Collector: why my fields are not se...

sylim_splunk · ‎11-01-2017

I'm adding fields in my json format data like, below. The issue is, the search "index=myHEC *" returns data but "index=myHEC myType=Find_me " is not working.

{
"time": 1507522387,
"host": "myHostname",
"source": "mySource",
"event": {
"message": "Catch me if you can",
"severity": "INFO"
},
"fields": {
"myType": "Find_me"
}
}

Why is it happening and how can I make it work?

sylim_splunk · ‎11-01-2017

This happens as the field, "myType" is not part of the raw data and index time field extraction is applied. By default the fields in search is extracted from raw data but this myType=Find_me is not found in raw events - that is the reason for the symptom.
To make it work for the case use fields.conf
- https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf
- http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Aboutindexedfieldextraction

i.e)
[myType]
INDEXED=true

View solution in original post

sylim_splunk · ‎11-01-2017

This happens as the field, "myType" is not part of the raw data and index time field extraction is applied. By default the fields in search is extracted from raw data but this myType=Find_me is not found in raw events - that is the reason for the symptom.
To make it work for the case use fields.conf
- https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf
- http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Aboutindexedfieldextraction

i.e)
[myType]
INDEXED=true

HTTP Event Collector: why my fields are not searchable?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform