Searching on a specific field in JSON

fredsnertz · ‎04-29-2024

This is probably an entry level question. I have raw data that looks something like this:

{"id": 99999, "type": "HOST", "timestamp": "2024-04-29T10:41:39.820Z", "entity": {"ipAddress": "1.1.1.1"}, "dataName": "Testing"}

If I search for type="HOST" or entity.ipAddress="1.1.1.1" I get this entry in the results, but if I search for dataName="Testing" or even dataName=*, I get nothing. What is different about this field?

gcusello · ‎04-29-2024

Hi @fredsnertz ,

see in the interesting fields from your searh what's the real ile name of dataName field (probably entity.dataName) and use it.

Using the json format fields are composite.

Ciao.

Giuseppe

bowesmana · ‎04-29-2024

There doesn't appear to be anything wrong with it - but it would require that field to be extracted so it could be searched.

Do you know if it's an indexed field or extracted at search time?

If you add | stats count by dataName to your search do you get any results - if not, then that field is not extracted.

If you run the search in verbose mode, does the dataName field show up in the fields in the left hand panel?

Searching on a specific field in JSON

field extraction

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle

Are you a member of the Splunk Community?

Searching on a specific field in JSON

field extraction

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Announcing the General Availability of Splunk Enterprise Security 8.1!

Developer Spotlight with William Searle