topic Re: search in Splunk Search

search

ashukp — Tue, 01 Dec 2020 07:31:11 GMT

Hi, I have 2 different events. these 2 events can be identified by "Id".

I am trying to display it in table in the below format, wherein the records should be in a single row

api_name,Id,OpName,Response,Current,System_Service_Response

event 1
api_name=apple||Id=12345||OpName=Update||Response_Code=200||Response_Status=COMPLETED||Response=[{"number":"99999","status":"Welcome back"}]||

event 2

api_name=apple||Id=12345||System_Name=Oracle||Service_Name=Oracle||Operation_Name=test||System_Status_Code=200||System_Service_Status=COMPLETED||System_Service_Response={"number":"99999","status":"Welcome back"}||Current=99999

My search query displays 2 rows, is it possible to group the events and display in 1 row.

Re: search

renjith_nair — Tue, 01 Dec 2020 07:51:16 GMT

If the events are unique per id, then you can use stats

"your current search" |stats latest(api_name) as api_name,..,latest(fieldname) as fieldname by Id

Re: search

ashukp — Tue, 01 Dec 2020 08:16:27 GMT

System_Service_Response=Request method 'POST' not supported

its just printing Request and not the whole string.

Also, how can i separate out the below string in 2 different fields

Response=[{"number":"99999","status":"Welcome back"}]

i.e. number and status.

Re: search

ashukp — Tue, 01 Dec 2020 08:21:36 GMT

@renjith_nair
System_Service_Response=Request method 'POST' not supported

its just printing Request and not the whole string.

Also, how can i separate out the below string in 2 different fields

Response=[{"number":"99999","status":"Welcome back"}]

i.e. number and status.

Re: search

renjith_nair — Wed, 02 Dec 2020 04:00:08 GMT

Try

|rex field=Response "\[\{\"number\":\"(?<Number>\d+)\",\"status\":\"(?<Status>.+)\"\}"

For the System_Service_Response, you either need to fix it at the source by quote around the string to consider it as single string or extract using rex in the search