Searching on a specific field in JSON

fredsnertz

This is probably an entry level question. I have raw data that looks something like this:

{"id": 99999, "type": "HOST", "timestamp": "2024-04-29T10:41:39.820Z", "entity": {"ipAddress": "1.1.1.1"}, "dataName": "Testing"}

If I search for type="HOST" or entity.ipAddress="1.1.1.1" I get this entry in the results, but if I search for dataName="Testing" or even dataName=*, I get nothing. What is different about this field?

gcusello

Hi @fredsnertz ,

see in the interesting fields from your searh what's the real ile name of dataName field (probably entity.dataName) and use it.

Using the json format fields are composite.

Ciao.

Giuseppe

bowesmana

There doesn't appear to be anything wrong with it - but it would require that field to be extracted so it could be searched.

Do you know if it's an indexed field or extracted at search time?

If you add | stats count by dataName to your search do you get any results - if not, then that field is not extracted.

If you run the search in verbose mode, does the dataName field show up in the fields in the left hand panel?

Searching on a specific field in JSON

field extraction

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?