Solved: Re: HTTP Event Collector: why my fields are not se...

sylim_splunk · ‎11-01-2017

I'm adding fields in my json format data like, below. The issue is, the search "index=myHEC *" returns data but "index=myHEC myType=Find_me " is not working.

{
"time": 1507522387,
"host": "myHostname",
"source": "mySource",
"event": {
"message": "Catch me if you can",
"severity": "INFO"
},
"fields": {
"myType": "Find_me"
}
}

Why is it happening and how can I make it work?

sylim_splunk · ‎11-01-2017

This happens as the field, "myType" is not part of the raw data and index time field extraction is applied. By default the fields in search is extracted from raw data but this myType=Find_me is not found in raw events - that is the reason for the symptom.
To make it work for the case use fields.conf
- https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf
- http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Aboutindexedfieldextraction

i.e)
[myType]
INDEXED=true

View solution in original post

sylim_splunk · ‎11-01-2017

This happens as the field, "myType" is not part of the raw data and index time field extraction is applied. By default the fields in search is extracted from raw data but this myType=Find_me is not found in raw events - that is the reason for the symptom.
To make it work for the case use fields.conf
- https://docs.splunk.com/Documentation/Splunk/latest/Admin/Fieldsconf
- http://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Aboutindexedfieldextraction

i.e)
[myType]
INDEXED=true

HTTP Event Collector: why my fields are not searchable?

Splunk APM & RUM | Upcoming Planned Maintenance

Part 2: Diving Deeper With AIOps

User Groups | Upcoming Events!