Splunk Search

How to not automatically invoke the spath command in raw data?

nawazns5038
Builder

Hi,

We are using JSON data and the field extractions are done already. So we no need to use the spath command. But when we click on raw data and add it to the search the spath command is automatically invoked. How can we correct that, the spath command takes a lot of time and is not needed in our case.

Thanks,

0 Karma

cstump_splunk
Splunk Employee
Splunk Employee

does the following search work?
index=abcd proto=TCP
If so there may not be a problem. The behavior you are describing, with spath being added to the search, is the default behavior when Splunk detects JSON or XML events. If there is a way to turn it off, you may not want to as it will turn off the behavior for all JSON or XML inputs.

0 Karma

nawazns5038
Builder

we don't need that to any of the inputs all the data sources are straight forward with fields extracted.

Do you know how to turn the default Splunk feature off ??

0 Karma

niketn
Legend

@nawazns5038, can you elaborate more on your issue. What is the data you are looking at and What you click and which search runs by default. Community members will be able to assist you better if there was more detail!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nawazns5038
Builder

sure..

{

action: xxxxxxxx

dnsQName: xxxxxxx
dstIPv4: xxxxxxxxx
dstPort: xxxxxxxxx
fileMd5: xxxxxxxxxxxxxxxxxxxx
localEndpoint: xxxxxxx
pGuid: xxxxxxxxxxxx

pName: xxxxxxxxxx
pid: xxxxxxxxxxx
proto: TCP

protoVersion: xxxxxxxxx
}

That is the example event we are having, suppose if we click on TCP and say add to search, it will not add "proto=TCP" to the search , instead it will do this,

index=abcd | spath proto | search proto=TCP

where you can see the spath command invoked and it takes a lot of time for the completion and is not necessary in our case where the field values are already extracted.

We have a lot of users and some random users coming and in and going, so better to disable the feature than intimating everyone

0 Karma

Sukisen1981
Champion

hmmm this looks like some issue with index time -

Can you try setting the follwoing
indexed_extractions=JSON or KV_MODE=JSON in the props.conf file
I suspect this is missing

Refer spath doc here - http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath
Sectionm Alternative to the spath command

niketn
Legend

@nawazns5038, as suggested by @Sukisen1981, please share your props.conf used the JSON data.
You should try the following settings:

INDEXED_EXTRACTIONS=json
KV_MODE=none

I was able to search directly by field names upon drilldown unlike the spath command.

Also is the drilldown from raw search or is it from existing table? Is it possible that the query that populates the table is using spath and your drilldown is on top of that query rather than raw events?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

nawazns5038
Builder

Hi @Sukisen1981 , @niketn,

[json_time]
SHOULD_LINEMERGE = false
TIME_FORMAT =%F %T.%3N
TIME_PREFIX =time\":\"
MAX_TIMESTAMP_LOOKAHEAD = 25
TRUNCATE = 0
TZ = UTC

INDEXED_EXTRACTIONS = json

NO_BINARY_CHECK=true
KV_MODE = none
LINE_BREAKER = ([\r\n]+){
AUTO_KV_JSON = false

The above is the props.conf begin used and I don't think we need to use INDEXED_EXTRACTIONS=json as it may cause double extractions of the fields, as mentioned the field values are extracted automatically, just by using above props.conf.

@niketn it is coming from the _raw events itself,

You can search for an index .... like index=abcd. After the _raw events are displayed you can chose a value and add to the search it invokes the spath automatically.

0 Karma
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...