topic Re: Iterate the extraction of json objects using Splunk query language in Getting Data In

Iterate the extraction of json objects using Splunk query language

lpolo — Mon, 03 Feb 2014 17:30:52 GMT

Is there an example that shows how to iterate the extraction of json objects using Splunk query language?

The spath command documentation shows an example but it is only for 2 key names

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Spath

I need to create a splunk query construct that iterates the json objects found in the following log event and then aggregate as follow:

Splunk main construct |stats sum(total) as total sum(Fails) as Fails sum(TimeOuts) as TimeOuts by client

Is there a way to do it in Splunk query language?

Json event:

[
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "hello.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "HYO.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
]

Thanks ,
Lp

Re: Iterate the extraction of json objects using Splunk query language

yannK — Tue, 18 Feb 2014 20:00:34 GMT

As another approach, because you have nice json events with a timestamp, and no sub level json.
Why not defining a sourcetype that will break your json in events each time you reach a new line with "{"
then you will have all your events separated, and can use spath to get your fields extracted.

example : http://answers.splunk.com/answers/80741/event-break-json

Re: Iterate the extraction of json objects using Splunk query language

lpolo — Wed, 19 Feb 2014 13:05:42 GMT

Thanks.
I should have thought about this solution.

Re: Iterate the extraction of json objects using Splunk query language

lpolo — Wed, 19 Feb 2014 14:39:13 GMT

yannK,

Now, I am able to extract all the json key values as expected. However, I cannot aggregate using the stats function example presented in the question. The results are incorrect. Any idea?

Re: Iterate the extraction of json objects using Splunk query language

lpolo — Wed, 19 Feb 2014 15:16:30 GMT

yannK,

I think that the problem is that the json objects are not split into events. Therefore, any aggregation function will not work as expected.

Re: Iterate the extraction of json objects using Splunk query language

lpolo — Wed, 26 Feb 2014 13:51:06 GMT

I can assure you that my regex is correct.