Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why splunk builds "endless" fields from json-events?

marcokrueger
Path Finder
‎05-12-2013 11:22 PM

I have events in json-format as input and the events are recognized fine, but in smart-mode the automatic field extraction builds very long recursive fields.
As an example I get the correct field traceMap.RESPONSE.status only a few times, but there are other extracted tapeworm fields
traceMap.SEARCHRESULT.results{}.price.traceMap.RESPONSE.status
traceMap.SEARCHRESULT.results{}.price.traceMap.SEARCHRESULT.results{}.price.traceMap.RESPONSE.status
traceMap.SEARCHRESULT.results{}.price.traceMap.SEARCHRESULT.results{}.price.traceMap.SEARCHRESULT.results{}.price.traceMap.RESPONSE.status
etc.
It looks like that splunk dont recognize the end of the "traceMap.SEARCHRESULT.results{}.price" or there are limitations in field-extraction and some events are really long (30000 characters) and I set
[kv]
maxchars = 100000

but this don't help.

Is there any idea?
Best regards, Marco

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

marcokrueger
Path Finder
‎05-15-2013 02:19 AM

I solved it and it was a hidden error in the json-format.
"price" : NaN, is not json-format. it have to be "price" : "NaN",
but on my search I looked on the search-result of splunk and it shows me the json-objects with qouted "nan" so I thought it was interpreted correct and all is fine, but it wasn't.

So, if you have a similar problem, make sure your json or xml is correct in the _raw-level. 😉

Best regards,
Marco

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

marcokrueger
Path Finder
‎05-15-2013 02:19 AM

I solved it and it was a hidden error in the json-format.
"price" : NaN, is not json-format. it have to be "price" : "NaN",
but on my search I looked on the search-result of splunk and it shows me the json-objects with qouted "nan" so I thought it was interpreted correct and all is fine, but it wasn't.

So, if you have a similar problem, make sure your json or xml is correct in the _raw-level. 😉

Best regards,
Marco

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎05-13-2013 03:13 AM

Have the same problem with xml and using spath.
On 4.3 it hangs the search and a core hits 100% until killed. On 5.X you get stupid long paths.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...