Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Some fields are not extracted in json

chandrasekhar46
Loves-to-Learn Everything
Tuesday

i have json event in that some fields not extracting properly when i am table i am not getting some field after message field ex event 

here is event and table results 

{
"log":{
"emmsite":"Test",
"destsite":null,
"side":"INB",
"datetime":"10/14/2025 19:14:05",
"interfaceid":"TI000",
"env":"dev",
"objectid":null,
"objecttype":"WS",
"objectname":"Cancel Method / Cancel Request",
"interface":"CancelAnalysisService",
"project":"unilims",
"message":"<ns0:ErrorReport xmlns:ns0=\http://www.tibco.com/pe/EngineTypes\>\n <StackTrace>Job-30001 Error in [Applications/CEP/Processes/I...












log.datetime log.destsite log.emmsite log.env log.interface log.interfaceid log.objectid log.objectname log.objecttype log.project log.side

10/14/2025 19:14:05nullCEPdevCancelAnalysisServiceTI000nullCancel Method / Cancel RequestWSutestINB10/14/2025 19:14:05nullCEPdevCancelAnalysisServiceTI000nullCancel Method / Cancel RequestWSutestINB



Labels (1)
Labels
0 Karma
Reply

chandrasekhar46
Loves-to-Learn Everything
Tuesday

sorry i was miss some closing blocks here is full event

{
"log":{
"emmsite":"CEP",
"destsite":null,
"side":"INB",
"datetime":"10/14/2025 19:14:05",
"interfaceid":"TI000",
"env":"dev",
"objectid":null,
"objecttype":"WS",
"objectname":"Cancel Method / Cancel Request",
"interface":"CancelAnalysisService",
"project":"test",
"message":"<ns0:ErrorReport xmlns:ns0=\\http://www.tibco.com/pe/EngineTypes\\>\n <StackTrace>Job-30001 Error in [Applications/CEP/Processes/In_ADRMAS_A.process/Parse XML]\nA validation occurred while parsing: validation error: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\" ({com.tibco.xml.validation}COMPLEX_E_UNEXPECTED_CONTENT) at /ns:ADRMAS03-4x[1]/CHILDREN[1]/E1ADRMAS[1]/item[1]/CHILDREN[1]/YE1AUSPM[1]\ncom.tibco.xml.validation.exception.UnexpectedElementException: unexpected content \"YE1AUSPM\"; expected \"E1BPAD1VL\" or \"E1BPADTEL\" or \"E1BPADFAX\" or \"E1BPADTTX\" or \"E1BPADTLX\" or \"E1BPADSMTP\" or \"E1BPADRML\" or \"E1BPADX400\" or \"E1BPADRFC\" or \"E1BPADPRT\" or \"E1BPADSSF\" or \"E1BPADURI\" or \"E1BPADPAG\" or \"E1BPAD__REM\" or \"E1BPCOMREM\" or \"E1BPADUSE\"&#xD;\n\tat com.tibco.xml.validation.state.dri",
"logtype":"Email",
"transactionid":null,
"ack_ai":"test.emai@testdomain.com",
"ack_gp":" Batch Reference No:"
}
}

0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
Wednesday

Unless your shared event is butchered by your sharing method, it is NOT a valid JSON object.  You can test this with Python's json.tool module

python3 -mjson.tool <<<'<your event text>'

json.tool will tell you that the message is incorrectly quoted as @ITWhisperer suggests: "Invalid \escape: line 14 column 39 (char 304)".  When event is not valid, of course Splunk will butcher extraction. (I have also tested with spath - it cannot extract all fields.)

If you have sanitized the sample event, make sure you preserve JSON syntax precisely.  Share in a code box, not as plain text.  Otherwise you need to examine your ingestion, even question your developers about the original content.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
Wednesday

Is this really what your event looks like? I would have expected the namespace to have escaped double quotes, not escaped backslashes?

Please share your raw event is a code block to prevent any undue reformatting of the data.

0 Karma
Reply

PrewinThomas
Motivator
Tuesday

@chandrasekhar46 

Looks like Splunk’s auto JSON extraction is interrupted by the long/escaped message field. Are you using spath in your search?

Can you try using spath

| spath
| table log.datetime log.emmsite log.env log.interface log.interfaceid log.objectname log.objecttype log.project log.side log.logtype log.ack_ai log.ack_gp


dem2.JPG
or target the specific fields you need

| spath path=log.logtype
| spath path=log.transactionid
| spath path=log.ack_ai
| spath path=log.ack_gp


Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
Tuesday

Please share your event in raw format in a code block using the </> formatting button.

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
Tuesday
Also how long those events can be? There are defaults for auto extraction and those are not so big than you could expect.
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...