topic Re: Splunk - how to filter json search results in Getting Data In

Splunk - how to filter json search results

evanxu — Mon, 20 Jul 2020 14:01:12 GMT

My splunk search returns one event as below: notice agent data is in a nested json format. agentName and agentSwitch are nested fields within agent.

I would like to filter within this result so that the output would only display

agentName = "ether" and agentSwitchName="soul".

I have tried to filter using spath and table but each time it would return ALL agentNames, how can i correctly filter the output?

My search | spath | table environemnt, agent{}.agentName | search agent{}.agentName="ether"

Re: Splunk - how to filter json search results

to4kawa — Mon, 20 Jul 2020 21:36:29 GMT

My search | spath agent{} output=agent

| mvexpand agent | spath input=agent | search agentName="ether"

Re: Splunk - how to filter json search results

evanxu — Wed, 22 Jul 2020 02:42:26 GMT

Hi @to4kawa , thank you, i have one more request,
my search correctly returns agent ether, however, it also returns all agent switch names even though I specified agentSwitchName "soul". I think this has to do with agentSwitchName being nested within agent. Could you help ?

mysearch | spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"

Re: Splunk - how to filter json search results

to4kawa — Wed, 22 Jul 2020 09:38:03 GMT

I don't know your log. I can't do that.

Re: Splunk - how to filter json search results

evanxu — Wed, 22 Jul 2020 12:07:48 GMT

The json screenshot is the result of my search, it returns a single event with nested json. I am attempting to reformat/filter the event output to show only agentName: ether and agentSwitchName: soul, preferably in a tabular format.

mysearch | spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul" | table agentName, agentSwitchName

However instead of getting "soul" only, I am getting both "infinity" and "soul", so it looks like

This is the output I really want:

Thank you

Re: Splunk - how to filter json search results

to4kawa — Wed, 22 Jul 2020 13:42:59 GMT

you can do it, I can't do it by only sample pics.

Re: Splunk - how to filter json search results

spitchika — Wed, 22 Jul 2020 15:07:14 GMT

Hi,

Best thing I do in this situation is changing log display format to "Raw" and capture correct left and right boundaries with rex command. (If require max_match option). Right now default json view would be "List" view.

Re: Splunk - how to filter json search results

evanxu — Mon, 27 Jul 2020 02:07:48 GMT

Thank you for the hint. I tried to add the clause below and the data returned correctly.

| rename data as _raw
| extract

Re: Splunk - how to filter json search results

spitchika — Mon, 27 Jul 2020 14:47:31 GMT

Perfect!! Thank you.