Splunk Search

Unable to search based on certain fields

sidthesloth98
New Member

In each JSON event that I put into Splunk, I have a field with the format:

"field": "1:2:3:4"
However, whenever I try to run a search using this field, it always says that there are 0 results, even though I can see plenty of events with this field.

One work around I found was to use spath, and then I was able to search using it, but I'd rather not have to do that every time

Thanks in advance for any help.

Tags (3)
0 Karma

manjunathmeti
Champion

Are you seeing values for the "field" in your base index search? Is this field extracted in index?

0 Karma

sidthesloth98
New Member

Yeah, I can see these values in the events, just not when I try to search on a certain value. It's not extracted in index

0 Karma

manjunathmeti
Champion

Looks like this field is not extracted during index time. And during search time ":" in the field value causing issues. Are you able to filter the data based other fields in the index?

0 Karma

sidthesloth98
New Member

I can search with all other fields in the index, its just this one that I have problems with

0 Karma

manjunathmeti
Champion

Then this field is not extracted during index-time. Try and check:
index= | search field="1:2:3:4" OR index= | where field="1:2:3:4"

0 Karma

to4kawa
SplunkTrust
SplunkTrust

I see, Can you provide samples?

0 Karma

codebuilder
Motivator

Are the other fields displayed that you expect to be extracted?

0 Karma

to4kawa
SplunkTrust
SplunkTrust
0 Karma

richgalloway
SplunkTrust
SplunkTrust

spath is the command for parsing json data. What is your objection to using it?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

sidthesloth98
New Member

It just feels messy to me, I don't see why I would have to use it if the data is already there when indexing

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!