Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I having trouble searching exact field values indexed via an HTTP Event Collector?

jensguenther
New Member
‎10-23-2018 08:27 AM

Hi Splunkers,

I've got a strange problem over here: I got events indexed via the http event collector which behave strange when searched for exact field values.

Let's say I got events with a field "domain" with value "example.org". Splunk reports those field/values correctly.

Now, if I search for 

domain="example.org"

Splunk returns no events at all. However, if I search for

domain="*example.org*"

Splunk returns all matching events. More funny, if I do

* | eval dd=domain | search dd="example.org"

Splunk returns all matching events.

We do have this effect only on a few fields for this particular http collector stream. Here is an example of the (stripped) payload we send over

{"event":"EventName","fields":{"domain":"example.org"}}

Any ideas?

0 Karma
Reply

appneta_tray
New Member
‎03-09-2020 03:33 PM

I have the same issue. We are submitting several fields via HTTP collector. The fields all seem to be parsed correctly, all my events are showing up in the index. When I try something as simple as clicking on one of the fields and selecting 'Add to search', the exact value that I've just clicked is added to the search and the search returns nothing.

The fact this thread is 2 years old is a little disheartening. . . ,I have this same issue. The fact that this issue is 2 years old isn't very promising . . .

0 Karma
Reply

493669
Super Champion
‎10-23-2018 09:10 AM

@jensguenther,
It seems there is a space before your example.org in fieldname domain so try to remove these spaces using trim command like below-

|eval domain=trim(domain)

It will remove spaces /tabs and now search for your value , you will get as expected.

Reply

jensguenther
New Member
‎10-23-2018 10:51 AM

thanks 493669 ;).

We thought about that double / tripple checking it and, well, nope :/. We thought also there's some crazy hidden char, we even recommitted our javascript generating the events - nothing. It is like it is.

Is there any way to access the low level event data at the below data storage? Not _raw, we obviously tried that already. Maybe I've to wireshark it just before the indexer...

0 Karma
Reply

marycordova
SplunkTrust
SplunkTrust
‎10-23-2018 09:25 AM

There was another question like that here recently, I couldn't find that post, but essentially it had to do with "major" and "minor" key value delimiters and what Splunk calls search "terms".

It might not actually be a space as suggested in this answer, but there is something there that is mucking up what your expected behavior is.

@marycordova
0 Karma
Reply

jensguenther
New Member
‎10-23-2018 11:20 AM

thanks Mary!

I checked that major and minor but got stuck somehow.

However, we have this problem also on another field where we just put in plain simple single words with the exact same behavior.

I checked the source generating the events: they look solid, no additional chars, all's OK.

Honestly, I currently think of throwing the "fields" : {...} section away and just put everything into "event": "key=value"...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...