I am ingesting JSON data via the HEC on a HeavyForwarder, but when I query the data in SplunkCloud, I have different results depending on which app I am using to query the data.
For example, in the search and reporting app, the json data creates an event with fields "ping.jitter" and "ping.latency". However, when I query using a custom app, the event is not created and the fields "ping.jitter" and "ping.latency" are not created nor are they populated with data.
Any ideas why?
Hi fdarrigo,
Two possible reasons:
KV_MODE = json
to your sourcetype under Setting - Source types
in your custom app Hope this helps ...
cheers, MuS
MuS- Changing from fast mode to verbose solved the problem
anthonymelita - thanks for the tip. I will keep it in mind.
Hi fdarrigo,
Two possible reasons:
KV_MODE = json
to your sourcetype under Setting - Source types
in your custom app Hope this helps ...
cheers, MuS
In my experience Splunk attempts to auto-extract json objects to fields and frequently fails. Try adding an |spath
command as your first pipe after basic search criteria like index, source, etc...
Thanks. I will keep it in mind.