Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Search event is not providing output for fields

pallavi_prabhu_
Explorer
‎09-08-2020 02:31 AM

We have created http event with below command: 

Body:
{     "sourcetype":"trial",         "event":"ITSM1",         "fields":                 {                 "discription":"ITSM1 inserting data",                 "urgency":"High"                             } }
 

This data is visible on splunk enterprise. Now we are trying to search this event using criteria as Urgency = High . but it didn't return any event.

We tried using curl command still same result.  Can you suggest what could be the issue?

 

C:\Users\terminal>curl -k -u username:Password https://localhost:8089/services/search/jobs -d output_mode="json" -d search="search index=main urgency=high"

{"sid":"1599554403.2242"}

C::\Users\terminal>curl -k -u username:Password :username:Password  https://localhost:8089/services/search/jobs/1599554403.2242/events --get -d output_mode="json"

output:

   "preview":false,

   "init_offset":0,

   "messages":[ ],

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 05:25 AM

yes,  you need handle search criteria differently based on how you would like to project your results in reports or dashboards.

and also, I think you are adding sourcetype also inside the event attribute while constructing data for HTTP event collector. if you use sourcetype field separately as event then you don't see it in events but you see new field sourcetype because this is meta field.

curl -k -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://mysplunkserver.example.com:8088/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}'

 

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution

pallavi_prabhu_
Explorer
‎09-08-2020 04:26 AM

Adding screenshots for events created and search result. Fields are extracted but result is not listed.event_collector data.PNGextracted_fields Urgency.PNGSearch_using Urgency.PNG

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎09-08-2020 05:02 AM

How did you add urgency=High to your search? Typing it in or selecting it from the list of values and adding it to the search?

0 Karma
Reply
Solved! Jump to solution

pallavi_prabhu_
Explorer
‎09-08-2020 05:20 AM

@thambisetty  @ITWhisperer  We tried both ways. In case of selecting search criteria from suggested drop down list also we are getting 0 results. Is there any search specific for HTTP event collector where event is created with json body provided as :

{
    "sourcetype":"trial",   
    "event":"ITSM2",   
    "fields":   
            {                "discription":"ITSM2 inserting data",
                "urgency":"Low"               
            }}
 
Because we tried modifing above payload as :
{    "sourcetype":"trial",
       "event":   
            {                "discription":"ITSM2 inserting data",
                "urgency":"Low"
                           }}
 
In this case search works for urgency. So Do we need to handle search criteria differently if "fields" are used while creating events?
 
0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 05:25 AM

yes,  you need handle search criteria differently based on how you would like to project your results in reports or dashboards.

and also, I think you are adding sourcetype also inside the event attribute while constructing data for HTTP event collector. if you use sourcetype field separately as event then you don't see it in events but you see new field sourcetype because this is meta field.

curl -k -H "Authorization: Splunk 12345678-1234-1234-1234-1234567890AB" https://mysplunkserver.example.com:8088/services/collector/event -d '{"sourcetype": "my_sample_data", "event": "http auth ftw!"}'

 

 

————————————
If this helps, give a like below.
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎09-08-2020 03:57 AM
  1.  you are trying to filter events with Urgency = High and you are getting 0 results, that's because fields are not extracted from the event. if the field is extracted from the event you could see same from fields window left side.Splunk fields 
  2. also same reason your search is matched with 0 results, you should also specify timerange.

-------------------------------

Give a thumps if it solves your problem.

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...