topic Splunk Create Fields from Field Values in Json log in Splunk Search

Splunk Create Fields from Field Values in Json log

ssjabid — Fri, 03 Jul 2020 17:45:50 GMT

Hi,

I am trying to create new field values from my json log base on the values that appear under a particular field

So here is an example

{
   "widget": {
       "text": [ 
        {
           "data": "Click here",
           "size": 36
        },
       {
          "data": "Learn more",
          "size": 37
       },
       {
          "data": "Help",
          "size": 38
       },
       ]
   }
}

So in my environment I currently have got widget{}.text{}.data as a field, however i would like to break it further and have

widget{}.text{}.data{}.ClickHere,

widget{}.text{}.data{}.Help,

widget{}.text{}.data{}.LearnMore as individual fields

I ask this because when we have thousands of logs and are looking for certain combinations, we have issues with filtering accurately, doing this will help us find the right combinations

Any assistance will be greatly appreciated,

Thanks

Re: Splunk Create Fields from Field Values in Json log

to4kawa — Fri, 03 Jul 2020 23:33:16 GMT

| makeresults | eval _raw="{ \"widget\": { \"text\": [ { \"data\": \"Click here\", \"size\": 36 }, { \"data\": \"Learn more\", \"size\": 37 }, { \"data\": \"Help\", \"size\": 38 }, ] } }" | rex max_match=0 "(?ms)(?<jsons>{\s*\"data.*?})" | stats count by jsons | spath input=jsons | eval {data}=size | table "Click here" Help "Learn more" | stats values(*) as *

Re: Splunk Create Fields from Field Values in Json log

ssjabid — Sat, 04 Jul 2020 13:06:28 GMT

Thank you for this, i will try it out on monday, it looks like it will work,

I've heard online about {} creating a new set of fields from field values

what is the purpose of using the rex? is that just to capture data into a new field so that we can use spath on it? is this part absolutely necessary?

if you could explain exactly what {data}=size does that will help me understand its real use for further scenarios,

Thanks again, looking forward to trying this out!

Re: Splunk Create Fields from Field Values in Json log

to4kawa — Sat, 04 Jul 2020 13:57:17 GMT

| makeresults | eval _raw="{ \"widget\": { \"text\": [ { \"data\": \"Click here\", \"size\": 36 }, { \"data\": \"Learn more\", \"size\": 37 }, { \"data\": \"Help\", \"size\": 38 }, ] } }" | spath | rename widget.text{}.* as * | eval tmp=mvzip(data,size) | stats count by tmp | eval data=mvindex(split(tmp,","),0), size=mvindex(split(tmp,","),1) | xyseries count data size | fields - count

1. I like rex to extract json array.(it's better to use mvzip,I guess)

2. see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Field_names