I'm facing a very strange issue in my Splunk search. I have a data input coming from a REST API that returns a multi-level (nested) JSON response:
![REST API Response][1]
The entity node has several nodes, each node represents one access point. Each access point contains a field called ipAddress. This API is being called every 5 min and response stored in Splunk. When I do a search to get the list of IP Addresses from one event I don't get all of them. For some reason, is like Splunk is reading only the first seven nodes inside entity, because when I do:
source="rest://AccessPointDetailsAPI" | head 1
Splunk shows only the following values on the field (**7 values although there are around 27**):
![Splunk Field data sample][2]
I'm using demo license if that matters. Why I cannot see all values ? If I change my search to look for a specific iPAddress on the API response but that is not on the Splunk list of field values I get no records.
Is like the search does not get all the values on the event for some fields.
Thanks and regards,
[1]: /storage/temp/125222-restreturnsample.jpg
[2]: /storage/temp/125223-splunkdata.jpg
↧