In each JSON event that I put into Splunk, I have a field with the format:
"field": "1:2:3:4"
However, whenever I try to run a search using this field, it always says that there are 0 results, even though I can see plenty of events with this field.
One work around I found was to use spath, and then I was able to search using it, but I'd rather not have to do that every time
Thanks in advance for any help.
Are you seeing values for the "field" in your base index search? Is this field extracted in index?
Yeah, I can see these values in the events, just not when I try to search on a certain value. It's not extracted in index
Looks like this field is not extracted during index time. And during search time ":" in the field value causing issues. Are you able to filter the data based other fields in the index?
I can search with all other fields in the index, its just this one that I have problems with
Then this field is not extracted during index-time. Try and check:
index= | search field="1:2:3:4" OR index= | where field="1:2:3:4"
I see, Can you provide samples?
Are the other fields displayed that you expect to be extracted?
spath
is the command for parsing json data. What is your objection to using it?
It just feels messy to me, I don't see why I would have to use it if the data is already there when indexing