topic Splunk search does not return event data when there is multiple json in same event in Splunk Search

Splunk search does not return event data when there is multiple json in same event

karthi25 — Thu, 21 Feb 2019 18:35:15 GMT

I have a created a splunk alert when there is a failure occurs. I have query as follows:

index=* source=*** |spath path=TestLog.TestFailureLog.appName output=APPNAME|spath path=TestLog.TestFailureLog.eventType output=EVENTTYPE|spath path=TestLog.TestFailureLog.payload.level output=LEVEL|spath path=TestLog.TestFailureLog.payload.failureCount output=FAILURECOUNT|spath path=TestLog.TestFailureLog.payload.errorDescription output=ERRORDESCRIPTION|where APPNAME!="" and LEVEL="ERROR"|table APPNAME,EVENTTYPE,LEVEL,FAILURECOUNT,ERRORDESCRIPTION

It is working fine when I have single jsonobject per event in the log . For eg:
If I have Data like below:

But, if in case I have both success and failure log in the same event, that particular event is vomited and it returns all the remaining failure logs.

Can Anyone please suggest me the solution for it.

Re: Splunk search does not return event data when there is multiple json in same event

kamlesh_vaghela — Sat, 23 Feb 2019 12:44:24 GMT

@karthi25
It seems your given JSON is invalid. Can you please share actual event having multiple logs? Don't beautify JSON share it as it is.

Re: Splunk search does not return event data when there is multiple json in same event

karthi25 — Mon, 25 Feb 2019 10:32:18 GMT

@kamlesh_vaghela Thanks for your response.I have updated my question. Please look in to it. Kindly let me know, if you found anything. Since, these logs are from other sources, I can't change the logging format .

Re: Splunk search does not return event data when there is multiple json in same event

kamlesh_vaghela — Tue, 26 Feb 2019 13:39:43 GMT

Thanks, @karthi25 for updating question. Is it ok if you share 2nd event in text format? So we can work on those samples to help you. Use Code Sample ( 5th icon in above panel) for same. update confidential values with a dummy value.

Re: Splunk search does not return event data when there is multiple json in same event

karthi25 — Wed, 27 Feb 2019 05:34:27 GMT

@kamlesh_vaghela Sure. Please find the text format for the 2nd event below:

{
"TestSplunkLog" : {
"TestSuccessLog" : {
"appName" : "Testsscount",
"eventType" : "event1",
"payload" : {
"level" : "INFO",
"startTime" : "2019-02-21 18:02:58",
"sourceCount" : 0,
"successCount" : 0,
"duplicateCount" : 0,
"publishedCount" : 0,
"endTime" : "2019-02-21 18:02:59"
}
}
}
}
{
"TestSplunkLog" : {
"TestFailureLog" : {
"appName" : "Testsscount",
"eventType" : "event1",
"payload" : {
"level" : "ERROR",
"startTime" : "2019-02-21 18:02:58",
"failureCount" : 0,
"errorCode" : 17002,
"errorDescription" : "IO Error: Unknown host specified ",
"failureIdList" : [ ],
"endTime" : "2019-02-21 18:02:59"
}
}
}
}
Collapse
host = *** source =*** sourcetype =***

Re: Splunk search does not return event data when there is multiple json in same event

kamlesh_vaghela — Thu, 28 Feb 2019 08:43:01 GMT

@karthi25

Can you please try below search? I have split events as expected. For that, I have added || using replace tp split events. Here Might be you need to change values}\n{ to your_brackates.

<<YOUR_host_source_sourcetype>>
| fields _time _raw
| eval data = replace(_raw,"}\n{","}||{") 
| eval data = split(data,"||") 
| mvexpand data | eval _raw=data | kv | table TestSplunkLog.*

Thanks

Re: Splunk search does not return event data when there is multiple json in same event

karthi25 — Thu, 28 Feb 2019 11:44:50 GMT

@kamlesh_vaghela finally it works, Thanks a lot.

Re: Splunk search does not return event data when there is multiple json in same event

kamlesh_vaghela — Thu, 28 Feb 2019 11:49:38 GMT

@karthi25
Great.

Please upvote and accept this answer to close this question.

Happy Splunking