Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

why splunk builds "endless" fields from json-events?

marcokrueger
Path Finder
‎05-12-2013 11:22 PM

I have events in json-format as input and the events are recognized fine, but in smart-mode the automatic field extraction builds very long recursive fields.
As an example I get the correct field traceMap.RESPONSE.status only a few times, but there are other extracted tapeworm fields
traceMap.SEARCHRESULT.results{}.price.traceMap.RESPONSE.status
traceMap.SEARCHRESULT.results{}.price.traceMap.SEARCHRESULT.results{}.price.traceMap.RESPONSE.status
traceMap.SEARCHRESULT.results{}.price.traceMap.SEARCHRESULT.results{}.price.traceMap.SEARCHRESULT.results{}.price.traceMap.RESPONSE.status
etc.
It looks like that splunk dont recognize the end of the "traceMap.SEARCHRESULT.results{}.price" or there are limitations in field-extraction and some events are really long (30000 characters) and I set
[kv]
maxchars = 100000

but this don't help.

Is there any idea?
Best regards, Marco

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

marcokrueger
Path Finder
‎05-15-2013 02:19 AM

I solved it and it was a hidden error in the json-format.
"price" : NaN, is not json-format. it have to be "price" : "NaN",
but on my search I looked on the search-result of splunk and it shows me the json-objects with qouted "nan" so I thought it was interpreted correct and all is fine, but it wasn't.

So, if you have a similar problem, make sure your json or xml is correct in the _raw-level. 😉

Best regards,
Marco

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

marcokrueger
Path Finder
‎05-15-2013 02:19 AM

I solved it and it was a hidden error in the json-format.
"price" : NaN, is not json-format. it have to be "price" : "NaN",
but on my search I looked on the search-result of splunk and it shows me the json-objects with qouted "nan" so I thought it was interpreted correct and all is fine, but it wasn't.

So, if you have a similar problem, make sure your json or xml is correct in the _raw-level. 😉

Best regards,
Marco

0 Karma
Reply
Solved! Jump to solution

jonuwz
Influencer
‎05-13-2013 03:13 AM

Have the same problem with xml and using spath.
On 4.3 it hangs the search and a core hits 100% until killed. On 5.X you get stupid long paths.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk on November 6 at 11AM PT, and empower your SOC to reach new heights! Duration: ...

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...