Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Limited Results

Rodrigo_Larios
Explorer
‎09-06-2020 05:42 PM

Hi,

I got a lot of events with a Gtin value, near 177 events.

When i search with next sentence, i'm getting only 3 values, eventhough i got more events.

index="prod_super_cc" source="InventorySnapshot" | spath input=data.InventoryData | search "InventoryDetails.InventoryDetail{}.Gtin"="*"

All my events have Gtin values, and my data.InventoryData is a JSON string such as:

InventoryData{"InventoryDetails":{"InventoryDetail":[{"Gtin":74460700795,"NodeId":4581,"ItemNbr":100394282,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700355,"NodeId":4581,"ItemNbr":100370309,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750104881020,"NodeId":4581,"ItemNbr":9615187,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":18,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501055,"NodeId":4581,"ItemNbr":9605734,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750104881001,"NodeId":4581,"ItemNbr":9655475,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501301,"NodeId":4581,"ItemNbr":9611924,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700805,"NodeId":4581,"ItemNbr":100394281,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501227,"NodeId":4581,"ItemNbr":100155557,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700807,"NodeId":4581,"ItemNbr":100394283,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700806,"NodeId":4581,"ItemNbr":100394279,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700803,"NodeId":4581,"ItemNbr":100394280,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501348,"NodeId":4581,"ItemNbr":9666821,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":7,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74978750013,"NodeId":4581,"ItemNbr":100187231,"AvailableToSellQty":4,"InTransitQty":0,"MaxFloorQty":7,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750100561751,"NodeId":4581,"ItemNbr":100227362,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501312,"NodeId":4581,"ItemNbr":9654178,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":500028105626,"NodeId":4581,"ItemNbr":100327653,"AvailableToSellQty":12,"InTransitQty":0,"MaxFloorQty":10,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":500028105624,"NodeId":4581,"ItemNbr":100341374,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":10,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501203,"NodeId":4581,"ItemNbr":9602610,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501202,"NodeId":4581,"ItemNbr":9602645,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0}]}}

Why splunk is not getting the rest of events?

How can i get all Gtin values?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-06-2020 11:19 PM

to extract Gtin number 

| rex "Gtin\"\:(?<Gtin>\w+)"

to extract all Gtin numbers, the below new field extracts Gtin and Gtin will be multi value field 

| rex max_match=0 "Gtin\"\:(?<Gtin>\w+)"

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
Super Champion
‎09-06-2020 11:19 PM

to extract Gtin number 

| rex "Gtin\"\:(?<Gtin>\w+)"

to extract all Gtin numbers, the below new field extracts Gtin and Gtin will be multi value field 

| rex max_match=0 "Gtin\"\:(?<Gtin>\w+)"

 

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...