Splunk Search

Missing starting characters in a field

Path Finder

Hi ,

I am facing a strange issue like missing 2 starting characters in a field.My data is coming as a view from datawarehouse and its a a sql server .I am getting proper name in warehouse but not in splunk dashboard or search.Iam creating index using splunk db connect using the view .

I have "Name" field which has a value like "LL3CCCZM2" in warehouse , But is showing as 3CCCZM2 in splunk dashboard.

Can anyone help me to find the reason and rectify this in splunk please .

0 Karma

Ultra Champion

Please provide the configuration you use to collect and parse the data and the search you are running that gives the broken results. Some screenshots would also be helpful (make sure to mask any sensitive data where needed).

0 Karma

Path Finder

DB connect Config as below :
Input Type:Batch Input
Max Rows to Retrieve :10000000

Fetch Size :default
The number of rows to return at a time from the database. Default is 300.
Timestamp
Current Index Time

Output Timestamp Format:yyyy-MM-dd HH:mm:ss
Execution Frequency:45 01 * * *

search :
index=DNS| fillnull value=others|search factor="" Group="" os="*"|search Status="Not Reporting"|Table Identifier,factor, Tag, hardware,Company, os,Group

Please help me to find the issue

0 Karma

Ultra Champion

What is the actual DB query? Any props/transforms applied to extract fields?

0 Karma

Path Finder

It is actually a sql query with which the view is created .Nothing is set in props and transform etc .

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!