topic Re: How do you do a spath search that would search for multiple models with a variance of IOS levels? in Getting Data In

How do you do a spath search that would search for multiple models with a variance of IOS levels?

bzsplunk54 — Tue, 29 Sep 2020 23:55:16 GMT

Hello,

I am trying to acquire some input for SPL parsing a JSON file using the |spath command. Here is an example of my JSON format.

{
"ip": "10.1.1.2",
"hostname": "Switch_1",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": false,
"ConnType": "cisco_ios",
"version": "15.2(2)E6",
"chassis_model": "WS-C2960",
"chassis_sn": "G0T1635R11M",
"slot_list": [
{
"sn": "G0T1635R11M",
"slot": "1",
"model": "WS-C2960"
}
],

{
"ip": "10.1.1.3",
"hostname": "Switch_2",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": true,
"ConnType": "cisco_ios",
"version": "12.2(55)SE12",
"chassis_model": "WS-C2960S-48FPS-L",
"chassis_sn": "F0R1524Q11L",
"slot_list": [
{
"sn": "F0R1524Q11L",
"slot": "1",
"model": "WS-C2960S-48FPS-L"
}
],

==========================================================================
I need to focus on the model (chassis_model) with a correlation to the IOS (version). I know that I could add a spath statement and then a search statement for chassis_model and version, but how do I incorporate multiple searches for chassis_model and version.

Index=new dev_type=switch sourcetype="_json"  ("WS-C2960*") 
    ping!=false last_status="connected" earliest =-1d@d latest=now 
| spath version 
| search version="12.2(55)SE12"

I need to be able to search for multiple switch revisions of the same switch running different IOS versions. This will work at the beginning of the search ** ("WS-C2960*" version="12.2(55)SE12") OR ("WS-C2960S*" version!="15.2(2)E6)** However, I want to be able to use spath as the search flow is easier to follow when dealing with a vast array of equipment.

*this I know will not work but how can something similar work with an spath SPL statement?

| spath 
| search "WS-C2960S*" version!="15.2(2)E9" 
| spath 
| search "WS-C2960*" version="12.2(55)SE12" 
| dedup ip

Thank You

Re: How do you do a spath search that would search for multiple models with a variance of IOS levels?

martinpu — Mon, 01 Apr 2019 19:22:05 GMT

Try using an OR clause in between:

 | spath 
 | search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
 | dedup ip

Spath should generate a field as well for that query, defining search based on field is much faster

Re: How do you do a spath search that would search for multiple models with a variance of IOS levels?

bzsplunk54 — Tue, 02 Apr 2019 18:04:26 GMT

thank you!

Re: How do you do a spath search that would search for multiple models with a variance of IOS levels?

asoma0707 — Thu, 26 Mar 2020 16:21:29 GMT

Hi,
Can we use regular expression in search field after spath ? I am stuck in the similar kind of situation. I retrieved JSON object, after that I am looking for a particular string with different formats (alphaNumeric). Those are actually data anomalies.

Could you please provide your advise on how do we incorporate regex in search field ? I tried, but could not come to the solution.