topic How to search indexed JSON array output for objects that match a distinct name/value pair in Splunk Search

How to search indexed JSON array output for objects that match a distinct name/value pair

beetlegeuse — Sun, 12 Jul 2020 16:38:55 GMT

I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array):

{

"_links" : {

"self" : {"href" : "/mgmt/status/default/ObjectStatus"},

"doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}},

"ObjectStatus" : [{

"Class" : "DNSNameService",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "dns",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}, {

"Class" : "CRLFetch",

"OpState" : "down",

"AdminState" : "enabled",

"Name" : "crl",

"EventCode" : "0x00360010",

"ErrorCode" : "No CRLs configured",

"ConfigState" : "saved"}, {

"Class" : "Statistics",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "statistics",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}]}

I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers):

[dp_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none

Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values):

ObjectStatus{}.AdminState

ObjectStatus{}.Class

ObjectStatus{}.ConfigState

ObjectStatus{}.ErrorCode

ObjectStatus{}.EventCode

ObjectStatus{}.Name

ObjectStatus{}.OpState

Here's my dilemma. I would like to identify objects in a particular state. For example: I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this...

sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState"

...but this returns every Class from each event, regardless of OpState being "up" or "down".

What adjustments are required in order to get the output I'm looking for?

Re: How to search indexed JSON array output for objects that match a distinct name/value pair

Nisha18789 — Wed, 19 Aug 2020 10:40:04 GMT

@beetlegeuse , your query looks correct , but have you tried with "ObjectStatus{}.OpState"="*down*"

to rule any possibility of spaces in the value.

Re: How to search indexed JSON array output for objects that match a distinct name/value pair

to4kawa — Wed, 19 Aug 2020 11:09:32 GMT

index=_internal | head 1| fields _raw | eval _raw="{\"_links\":{\"self\":{\"href\":\"/mgmt/status/default/ObjectStatus\"},\"doc\":{\"href\":\"/mgmt/docs/status/ObjectStatus\"}},\"ObjectStatus\":[{\"Class\":\"DNSNameService\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"dns\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"},{\"Class\":\"CRLFetch\",\"OpState\":\"down\",\"AdminState\":\"enabled\",\"Name\":\"crl\",\"EventCode\":\"0x00360010\",\"ErrorCode\":\"No CRLs configured\",\"ConfigState\":\"saved\"},{\"Class\":\"Statistics\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"statistics\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"}]}" | spath ObjectStatus{} output=ObjectStatus | spath | stats values(links.*) as * by ObjectStatus | spath input=ObjectStatus | fields - ObjectStatus | search OpState=down