topic where is not working with JSON extracted with spath in Getting Data In https://community.splunk.com/t5/Getting-Data-In/where-is-not-working-with-JSON-extracted-with-spath/m-p/446882#M77743 <P>Hello there,</P> <P>I have the next JSON:</P> <PRE><CODE>{ "idDeclaracion": "abc123", "prospecto": { "id": "1111", "edad": 24, "nombre": "jaime", "ubicacion": { "direccion": "CL 61", "barrio": "Los colores" } }, "decisiones": [ "aprobar", "declinar", "extraprimar" ], "exitoso": true } </CODE></PRE> <P>I want to filter those events where <CODE>prospecto.id="1111"</CODE> and i have tried two ways:</P> <OL> <LI><CODE>index=idx_eml_err | spath input=message | search prospecto.id="1111"</CODE></LI> <LI><CODE>index=idx_eml_err | spath input=message | where prospecto.id="1111"</CODE></LI> </OL> <P>Option 1 works well, but option 2 does not. Can somebody please explain me this behavior?</P> <P>To have in mind, the next query works well: <CODE>index=idx_eml_err | spath input=message | where idDeclaracion="abc123"</CODE>. The difference between the last query and <EM>2</EM>, is that <EM>2</EM> is using the <CODE>where</CODE> with a nested field.</P> <P>Thanks!</P> Fri, 15 Mar 2019 19:19:10 GMT ivykp 2019-03-15T19:19:10Z where is not working with JSON extracted with spath https://community.splunk.com/t5/Getting-Data-In/where-is-not-working-with-JSON-extracted-with-spath/m-p/446882#M77743 <P>Hello there,</P> <P>I have the next JSON:</P> <PRE><CODE>{ "idDeclaracion": "abc123", "prospecto": { "id": "1111", "edad": 24, "nombre": "jaime", "ubicacion": { "direccion": "CL 61", "barrio": "Los colores" } }, "decisiones": [ "aprobar", "declinar", "extraprimar" ], "exitoso": true } </CODE></PRE> <P>I want to filter those events where <CODE>prospecto.id="1111"</CODE> and i have tried two ways:</P> <OL> <LI><CODE>index=idx_eml_err | spath input=message | search prospecto.id="1111"</CODE></LI> <LI><CODE>index=idx_eml_err | spath input=message | where prospecto.id="1111"</CODE></LI> </OL> <P>Option 1 works well, but option 2 does not. Can somebody please explain me this behavior?</P> <P>To have in mind, the next query works well: <CODE>index=idx_eml_err | spath input=message | where idDeclaracion="abc123"</CODE>. The difference between the last query and <EM>2</EM>, is that <EM>2</EM> is using the <CODE>where</CODE> with a nested field.</P> <P>Thanks!</P> Fri, 15 Mar 2019 19:19:10 GMT https://community.splunk.com/t5/Getting-Data-In/where-is-not-working-with-JSON-extracted-with-spath/m-p/446882#M77743 ivykp 2019-03-15T19:19:10Z Re: where is not working with JSON extracted with spath https://community.splunk.com/t5/Getting-Data-In/where-is-not-working-with-JSON-extracted-with-spath/m-p/446883#M77744 <P>@ivykp,</P> <P>This should work for you </P> <PRE><CODE>index=idx_eml_err | spath input=message |where 'prospecto.id'="1111" </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Where">where</A> command returns only the results for which the eval expression returns true. These eval-expressions must be Boolean expressions, where the expression returns either true or false. In the json filed, by adding a <CODE>'</CODE> around the field makes it as literal field name</P> Sat, 16 Mar 2019 06:08:41 GMT https://community.splunk.com/t5/Getting-Data-In/where-is-not-working-with-JSON-extracted-with-spath/m-p/446883#M77744 renjith_nair 2019-03-16T06:08:41Z