Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Searches returning unexpected results

tchamp
Explorer
‎03-11-2025 12:20 PM

I am fairly new to Splunk. I am testing out different search queries and getting  inconsistent results. 

In this example I have some pretty simple json/logs with the following format

{
  "data": {
    "tree": {
      "fruit": {
        "type": "Pear"
      }
    }
  }
}

 

I'm trying several different searches and seeing some unexpected results.

  1. "data.tree.fruit.type"="Apple" - Returns Apple only results (as expected)
  2. *| spath "data.tree.fruit.type" | search "data.tree.fruit.type"=Apple - Returns Apple only results (as expected)
  3. "data.tree.fruit.type"="Pear" - Returns NO results (unexpected?)
  4. *| spath "data.tree.fruit.type" | search "data.tree.fruit.type"=Pear - Returns Pear only results (as expected)
  5. "data.tree.fruit.type"="*" - Returns Apple only results (unexpected)

Can anyone shed some light on why I'm seeing the varying results?

Labels (2)
Labels
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-11-2025 02:37 PM

It's likely that your auto extracted JSON fields are not extracting the entire object, i.e. if you search type=* and it does not find some values, then those values do not exist in that field in the auto extracted field.

The fact that they DO give results after the spath, indicates this.

What is the size of your JSON object. By default I believe it will only auto extract the first 5000 (5k?) bytes of a JSON object, so if you show "raw" in your display rather than the syntax highlighted view of the JSON, you can see where your fruit type field exists in the raw.

If this is the case, then you can add some calculated fields using spath eval statement to extract the fields, so they are always present before the search is run.

BTW, I'm not totally sure of the best practice way to manage this 5k limit, but the above will work.

0 Karma
Reply

tchamp
Explorer
‎03-11-2025 03:08 PM

The JSON objects are very large and way over 5KB in size. I will look into calculated fields unless anyone else has a better suggestion.

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎03-11-2025 03:25 PM

Here are a couple of links to other posts here

https://community.splunk.com/t5/Getting-Data-In/JSON-field-extraction-beyond-5000-chars/m-p/549963#:....

https://community.splunk.com/t5/Getting-Data-In/Missing-events-JSON-payload-and-indexed-extractions/...

If you start changing limits.conf - which is not simple with Cloud, it will affect general settings, so is not always the best way to go.

If you have a field that is not extracted and it's a simple field - i.e. a single value inside a JSON object with no multivalue component then a simple calculated field can work, i.e.

| eval type=spath(_raw, "data.tree.fruit.type")

In the conf just use the spath... part for the eval definition

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top