Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Event _raw data is different from Source Event

madhav_dholakia
Contributor
‎12-13-2023 05:12 AM

Hi,

we are ingesting Couchbase JSON Documents into Splunk Cloud using Kafka.  

When I open the same document (1st one ingested in Splunk - _raw and 2nd one is Couchbase JSON) and compare in Visual Studio Code, I can see differences as shown below:

madhav_dholakia_0-1702472804519.png

Splunk syntax highlighted data for this record is identical to original Couchbase JSON.

Can you please help me understand why _raw is showing this data differently and also is there any way to get _raw data in the same format at original JSON?

Thank you.

 

Labels (1)
Labels
Tags (3)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-14-2023 07:30 AM

@madhav_dholakia - Splunk _raw shows the price as "17.0", I'm sure that Splunk cannot convert 17 to 17.0

Hence, I'm leaning towards that something else is wrong and Splunk is not modifying anything in the data unless you explicitly added any parsing configs in Splunk.

 

I hope this helps!!!

0 Karma
Reply

madhav_dholakia
Contributor
‎12-14-2023 07:53 AM

thanks @VatsalJagani - Couchbase JSON Document is also showing 17 and not 17.0

so here, Source System (Couchbase) and Splunk Record (when viewed as "highlight syntax") are same, its just Splunk Record _raw is different.

What could be possibly causing this?

Thank you.

0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎12-14-2023 09:12 AM

@madhav_dholakia - What I'm aware of is Splunk _raw what's coming from the system unless you are explicitly writing config to make changes by props.conf, but otherwise Splunk has no functionality to make changes.

To me it looks like, the actual value is 17.0, but preview is simplifing to 17 on both system.

 

I hope this helps!!!

Reply

madhav_dholakia
Contributor
‎12-20-2023 01:47 AM

apologies for the delayed response - I am getting this checked from Couchbase side if raw data there showing the same values. Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...

Adoption of Infrastructure Monitoring at Splunk

  Splunk's Growth Engineering team showcases one of their first Splunk product adoption-Splunk Infrastructure ...