Splunk Search

Limited Results

Rodrigo_Larios
Explorer

Hi,

I got a lot of events with a Gtin value, near 177 events.

When i search with next sentence, i'm getting only 3 values, eventhough i got more events.

index="prod_super_cc" source="InventorySnapshot" | spath input=data.InventoryData | search "InventoryDetails.InventoryDetail{}.Gtin"="*"

All my events have Gtin values, and my data.InventoryData is a JSON string such as:

InventoryData{"InventoryDetails":{"InventoryDetail":[{"Gtin":74460700795,"NodeId":4581,"ItemNbr":100394282,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700355,"NodeId":4581,"ItemNbr":100370309,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750104881020,"NodeId":4581,"ItemNbr":9615187,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":18,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501055,"NodeId":4581,"ItemNbr":9605734,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750104881001,"NodeId":4581,"ItemNbr":9655475,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501301,"NodeId":4581,"ItemNbr":9611924,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700805,"NodeId":4581,"ItemNbr":100394281,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501227,"NodeId":4581,"ItemNbr":100155557,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700807,"NodeId":4581,"ItemNbr":100394283,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700806,"NodeId":4581,"ItemNbr":100394279,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74460700803,"NodeId":4581,"ItemNbr":100394280,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":12,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501348,"NodeId":4581,"ItemNbr":9666821,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":7,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":74978750013,"NodeId":4581,"ItemNbr":100187231,"AvailableToSellQty":4,"InTransitQty":0,"MaxFloorQty":7,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750100561751,"NodeId":4581,"ItemNbr":100227362,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501312,"NodeId":4581,"ItemNbr":9654178,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":500028105626,"NodeId":4581,"ItemNbr":100327653,"AvailableToSellQty":12,"InTransitQty":0,"MaxFloorQty":10,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":500028105624,"NodeId":4581,"ItemNbr":100341374,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":10,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501203,"NodeId":4581,"ItemNbr":9602610,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":14,"InWarehouseQty":0,"OnOrderQty":0},{"Gtin":750103501202,"NodeId":4581,"ItemNbr":9602645,"AvailableToSellQty":0,"InTransitQty":0,"MaxFloorQty":16,"InWarehouseQty":0,"OnOrderQty":0}]}}

Why splunk is not getting the rest of events?

How can i get all Gtin values?

Labels (1)
0 Karma
1 Solution

thambisetty
Super Champion

to extract Gtin number 

| rex "Gtin\"\:(?<Gtin>\w+)"

to extract all Gtin numbers, the below new field extracts Gtin and Gtin will be multi value field 

| rex max_match=0 "Gtin\"\:(?<Gtin>\w+)"

 

————————————
If this helps, give a like below.

View solution in original post

thambisetty
Super Champion

to extract Gtin number 

| rex "Gtin\"\:(?<Gtin>\w+)"

to extract all Gtin numbers, the below new field extracts Gtin and Gtin will be multi value field 

| rex max_match=0 "Gtin\"\:(?<Gtin>\w+)"

 

————————————
If this helps, give a like below.
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...