Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Some fields are not extracted in json

chandrasekhar46
Loves-to-Learn Everything
4 weeks ago

i have json event in that some fields not extracting properly when i am table i am not getting some field after message field ex event 

here is event and table results 

{
"log":{
"emmsite":"Test",
"destsite":null,
"side":"INB",
"datetime":"10/14/2025 19:14:05",
"interfaceid":"TI000",
"env":"dev",
"objectid":null,
"objecttype":"WS",
"objectname":"Cancel Method / Cancel Request",
"interface":"CancelAnalysisService",
"project":"unilims",
"message":"<ns0:ErrorReport xmlns:ns0=\http://www.tibco.com/pe/EngineTypes\>\n <StackTrace>Job-30001 Error in [Applications/CEP/Processes/I...












log.datetime log.destsite log.emmsite log.env log.interface log.interfaceid log.objectid log.objectname log.objecttype log.project log.side

10/14/2025 19:14:05nullCEPdevCancelAnalysisServiceTI000nullCancel Method / Cancel RequestWSutestINB10/14/2025 19:14:05nullCEPdevCancelAnalysisServiceTI000nullCancel Method / Cancel RequestWSutestINB



Labels (1)
Labels
0 Karma
Reply

chandrasekhar46
Loves-to-Learn Everything
4 weeks ago

sorry i was miss some closing blocks here is full event

{
"log":{
"emmsite":"CEP",
"destsite":null,
"side":"INB",
"datetime":"10/14/2025 19:14:05",
"interfaceid":"TI000",
"env":"dev",
"objectid":null,
"objecttype":"WS",
"objectname":"Cancel Method / Cancel Request",
"interface":"CancelAnalysisService",
"project":"test",
"message":"<ns0:ErrorReport xmlns:ns0=\\http://www.tibco.com/pe/EngineTypes\\>\n <StackTrace>Job-30001 Error in [Applications/CEP/Processes/In_ADRMAS_A.process/Parse XML]\nA validation occurred while parsing: validation error: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\" ({com.tibco.xml.validation}COMPLEX_E_UNEXPECTED_CONTENT) at /ns:ADRMAS03-4x[1]/CHILDREN[1]/E1ADRMAS[1]/item[1]/CHILDREN[1]/YE1AUSPM[1]\ncom.tibco.xml.validation.exception.UnexpectedElementException: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\"&#xD;\n\tat com.tibco.xml.validation.state.dri",
"logtype":"Email",
"transactionid":null,
"ack_ai":"test.emai@testdomain.com",
"ack_gp":" Batch Reference No:"
}
}

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
3 weeks ago

Unless your shared event is butchered by your sharing method, it is NOT a valid JSON object.  You can test this with Python's json.tool module

python3 -mjson.tool <<<'<your event text>'

json.tool will tell you that the message is incorrectly quoted as @ITWhisperer suggests: "Invalid \escape: line 14 column 39 (char 304)".  When event is not valid, of course Splunk will butcher extraction. (I have also tested with spath - it cannot extract all fields.)

If you have sanitized the sample event, make sure you preserve JSON syntax precisely.  Share in a code box, not as plain text.  Otherwise you need to examine your ingestion, even question your developers about the original content.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
4 weeks ago

Is this really what your event looks like? I would have expected the namespace to have escaped double quotes, not escaped backslashes?

Please share your raw event is a code block to prevent any undue reformatting of the data.

0 Karma
Reply

PrewinThomas
Motivator
4 weeks ago

@chandrasekhar46 

Looks like Splunk’s auto JSON extraction is interrupted by the long/escaped message field. Are you using spath in your search?

Can you try using spath

| spath
| table log.datetime log.emmsite log.env log.interface log.interfaceid log.objectname log.objecttype log.project log.side log.logtype log.ack_ai log.ack_gp


dem2.JPG
or target the specific fields you need

| spath path=log.logtype
| spath path=log.transactionid
| spath path=log.ack_ai
| spath path=log.ack_gp


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
4 weeks ago

Please share your event in raw format in a code block using the </> formatting button.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
4 weeks ago
Also how long those events can be? There are defaults for auto extraction and those are not so big than you could expect.
0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...