Splunk Search

Why are only some JSON fields extracted as data input, but all are correctly extracted with spath?

nfieglein
Path Finder

When I identify my input as JSON, some of the fields are correctly parsed, but not all. When I send the _raw field to spath, all of the fields are correctly parsed. Can anyone help me on this? Some of the fields which are not available are:
LogEntry.Content.Amdps1204ipmCpy.Dps1204Ipm.SvctagSegmentGrp.DpsNum
LogEntry.Content.Amdps1204ipmCpy.Dps1204Ipm.SvctagSegmentGrp.Svctag
LogEntry.Content.Amdps1204ipmCpy.Dps1204Ipm.StatusSegmentGrp.RecordType

My props.conf settings are:

# your settings
CHARSET=UTF-8
NO_BINARY_CHECK=1

# set by detected source type
INDEXED_EXTRACTIONS=json
KV_MODE=none
MAX_EVENTS=4096
TIMESTAMP_FIELDS=Timestamp
TIME_FORMAT=%Y-%m-%d %H:%M:%S
TRUNCATE=20000
pulldown_type=1

Here is some example JSON:

{
"Timestamp":"2014-11-03 14:34:55",
"Type":"INFO ",
"Class":"TopicListenner:?",
"LogEntry":
{
"source":"AMDPS",
"Content": {
"Amdps1204ipmCpy":{
"Dps1204Ipm":{
"CustomerSegmentGrp":{
"CustomerNumBuid":"000000707","CustomerNum":"7777777","DpsType":"EXG","CompanyNum":"02","RequestingService":"Safder Memon"}
,"OrderSegmentGrp":{
"ExgOrderNum":"000000000490644069","DomsStatusDate":20141103,"DspStatusCode":"0000","DomsStatusCode":"SC","PoNum":38045618}
,"PartsSegmentGrp":{
"PartsSegment":[{
"SkuMfgNbr":"89HT1","QuantityAtFsb":"0000000000","PartDescription":"KIT,MEDIA,DVD,RDVD,7737","Quantity":"000000001"}
,{
"SkuMfgNbr":"CY2KJ","QuantityAtFsb":"0000000000","PartDescription":"KIT,SW,W8H/P64,MUL24","Quantity":"000000001"}
]}
,"FsbLocationGrp":{
"FsbLocationSegment":[{
"VendorId":"0016","VendorInfo":[{
"MilesToFsb":"0007","FsbLocation":"WYOW1"}
,{
"MilesToFsb":"0092","FsbLocation":"WYUL1"}
,{
"MilesToFsb":"0092","FsbLocation":"WYGK1"}
]}
,"","",""]}
,"JobSegmentGrp":{
"JobIndx":0}
,"ContactSegmentGrp":{
"TelephoneNbr":5555555555,"ContactName":"NOONE SPECIAL","PhoneExtension":"00000"}
,"HeaderSegmentGrp":{
"CreationDate":"Mon Nov 03 14:34:54 CST 2014","OperationType":"TRN"}
,"CommentSegmentGrp":{
"CommentSegment":[{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"P:Media Request","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"D:Media Request","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"cx called in bec he would like to reinstall the","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"OS however he don't have the Media Recovery disc,","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"cx requesting for it, he would like to reinstall","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"the OS bec there's a lot of stuff or apps on","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"system and cx would like to refresh or to clean","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"it up, he wants to remove all the files and data.","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"inform cx the this request is a one time deal","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"only, cx understand, inform also cx the warranty","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"details. done CDO - set to prio 4","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"SYSTEM: Inspiron 17","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"BTTR: Cx declined follow-up","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Consulted: CM POC Ice Bordeos","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Heat Check: SAT","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Captured, verified and updated Customer Name and","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Contact info in SR header.","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Captured, keyspelled and updated email address","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"in SR header.","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"VA TOADE","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Cx agreed to 'One-Strike policy'","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Provided Ownership Spiel/s","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"FTF USED. ARTICLE NUMBER: non compliance","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Audibly obtained PN","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"No APN","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"VDI Told cust about Refurb replacement parts","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"VPKRS: No need for plastic replacement","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Media Check. Customer has: None","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Provided TAT: 1-2 BD","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"CRU/FRU part/s verified thru DTT/EducateDell","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Provided Moxie as a lifeline","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Sent summary email during call. Customer","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"confirmed e-mail is received.","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Gave service request number to customer.","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"THIS IS AN ALABANG DISPATCH","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"S:dps media","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"STC: SOME TECH","DetailProblemDesc":"Created from DellServ Case #999999999","CommentDate":20141031}
,{
"CommentType":"EXG","TechName":"ETSB SOME OTHERTECH","DetailProblemDesc":"PART OK","CommentDate":20141101}
,{
"CommentType":"EXG","TechName":"ETSB SOME OTHERTECH","DetailProblemDesc":"RS APPROVED DPS","CommentDate":20141101}
]}
,"RaSegmentGrp":{
"RaFlag":"N"}
,"AddressSegmentGrp":{
"TimeZone":"EST","EdiRegionCode":"CA","StreetTwo":"Suite 3333","State":"ON","ZipCode":"999 999","City":"Gloucester","CountryCode":"CA","StreetOne":"9999 Duck St"}
,"StatusSegmentGrp":{
"StatusDate":"20141103:14:34:54.495440","RecordType":"C","StatusCode":"TTC"}
,"TranhistSegmentGrp":{
"EventDate":"20141103:14:34:54.448741","VendorNum":"0016","VendorDate":"20141104:16:00","EventCode":"VX","EventComments":"RTN WAYBILL#: KAM001231827"}
,"SvctagSegmentGrp":{
"ModelNumber":"DZ","ServiceLevel":"CP","TechNameIssuedCall":"STC: SOME TECH","DspReplyCode":"0000","TechBadgeNumIssuedCall":659662,"ReasonCode":"SW3F","TechIdIssuedCall":"000251779","Buid":"000000707","ItemSubClass":"002","Svctag":"B375ST1","DpsNum":"000175479487","ProductDesc":"7737,NOTEBOOK,HADLEY 17FBTX","LineOfBusiness":55}
}
}
}
}
}
0 Karma

dmr195
Communicator

The reason those fields are not parsed automatically is probably due to the extraction_cutoff limit in limits.conf, which defaults to 5000 (search for extraction_cutoff in the limits.conf spec. Your example JSON is over 7000 characters long, and the 3 fields that you've said are not automatically extracted are near the end.

As for why it works with the spath command, it might be that you're not using spath in "extract-all" mode. Apparently the cutoff only applies to "extract-all" mode.

bclarke5765
Explorer

Does this configuration get applied at search time or at indexing time? In other words, after I change this config should the change be applied to logs retroactively or just going forward?

Also, I'm assuming this configuration should be set on the indexers, not the search head. Is this correct?

0 Karma

dmr195
Communicator

It will depend how exactly JSON parsing is configured. You can set INDEXED_EXTRACTIONS=json in props.conf and then the JSON fields will be extracted on the indexer, or even earlier on a heavy forwarder if you are using one.

So if you are using INDEXED_EXTRACTIONS=json then I think you need to change the limit on all indexers and heavy forwarders. In this case data that is already in your indexes will not benefit.

On the other hand, you can also do JSON parsing at search time using KV_MODE=json in props.conf, the spath command or the spath() eval function. If you're doing any of these then you'd want the setting on the search head. It's conceivable you could also need the increased cutoff on the indexers as well because I don't see why JSON parsing couldn't be delegated to the indexers in a distributed environment.

Obviously for JSON parsing at search time any changed cutoff will apply to previously indexed data as well as data indexed after the change.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...