Splunk Search

Missing starting characters in a field

umsundar2015
Path Finder

Hi ,

I am facing a strange issue like missing 2 starting characters in a field.My data is coming as a view from datawarehouse and its a a sql server .I am getting proper name in warehouse but not in splunk dashboard or search.Iam creating index using splunk db connect using the view .

I have "Name" field which has a value like "LL3CCCZM2" in warehouse , But is showing as 3CCCZM2 in splunk dashboard.

Can anyone help me to find the reason and rectify this in splunk please .

0 Karma

FrankVl
Ultra Champion

Please provide the configuration you use to collect and parse the data and the search you are running that gives the broken results. Some screenshots would also be helpful (make sure to mask any sensitive data where needed).

0 Karma

umsundar2015
Path Finder

DB connect Config as below :
Input Type:Batch Input
Max Rows to Retrieve :10000000

Fetch Size :default
The number of rows to return at a time from the database. Default is 300.
Timestamp
Current Index Time

Output Timestamp Format:yyyy-MM-dd HH:mm:ss
Execution Frequency:45 01 * * *

search :
index=DNS| fillnull value=others|search factor="" Group="" os="*"|search Status="Not Reporting"|Table Identifier,factor, Tag, hardware,Company, os,Group

Please help me to find the issue

0 Karma

FrankVl
Ultra Champion

What is the actual DB query? Any props/transforms applied to extract fields?

0 Karma

umsundar2015
Path Finder

It is actually a sql query with which the view is created .Nothing is set in props and transform etc .

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...