topic Re: extracting jvm arguments in Splunk Search

How to extract, kv pair from jvm_cmd value & print those in Splunk search?

pmittal — Wed, 16 Nov 2022 15:05:16 GMT

raw event

{... "jvm_cmd":"bin/java -Dp -Dp1=v1-Dp2=v2 -Dq -Dp3=v3 ..."}

How to extract, kv pair from jvm_cmd value & print those in Splunk search?

I am not admin. So, I can't change props.conf or transform.conf. I tried https://community.splunk.com/t5/Splunk-Search/Using-KV-MODE-auto-in-props-conf-how-do-I-get-a-search-time/m-p/240834 and rex without any success. Any help will be much appreciated

Re: extracting jvm arguments

gcusello — Wed, 16 Nov 2022 11:37:48 GMT

Hi @pmittal,

it seems to be a json format, did you tried with spath command (https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath)?

Ciao.

Giuseppe

Re: extracting jvm arguments

pmittal — Wed, 16 Nov 2022 12:41:46 GMT

I am not sure how that's gonna solve the problem. I am trying to parse jvm_cmd value and it's not a JSON. Can you share some sample spath if I misunderstood you?

Re: extracting jvm arguments

gcusello — Wed, 16 Nov 2022 13:00:26 GMT

Hi @pmittal,

you can find all the information and samples in the above link.

Ciao.

Giuseppe

Re: extracting jvm arguments

pmittal — Wed, 16 Nov 2022 13:26:07 GMT

I tried it before posting without any success. All the example in that link has value itself as either JSON or XML whereas in this case no fixed pattern in value

Re: extracting jvm arguments

gcusello — Wed, 16 Nov 2022 13:28:18 GMT

Hi @pmittal,

if possible, please share a sample of your data that's also useful to create a regex.

Ciao.

Giuseppe

Re: extracting jvm arguments

pmittal — Wed, 16 Nov 2022 13:31:41 GMT

it's there in initial post. I need that P1=v1, p2=v2 ... key pairs extracted

Re: extracting jvm arguments

gcusello — Wed, 16 Nov 2022 13:35:04 GMT

Hi @pmittal,

{... "jvm_cmd":"bin/java -Dp -Dp1=v1-Dp2=v2 -Dq -Dp3=v3 ..."} isn't a full log, if possible, share a full log to understand if it's a json.

Ciao.

Giuseppe

Re: extracting jvm arguments

pmittal — Wed, 16 Nov 2022 14:02:30 GMT

log entry is a json. i can fetch jvm_cmd parmeter as it is a JSON key. that's not the issue. I need to parse value of jvm_cmd. can't share full log due to sensitive information. I tried following Splunk query (few other variations too). It just print log/raw json fields but it won't extract fields out of jvm_cmd value

index=abc jvm_cmd=*xyz* | spath | table *

Re: extracting jvm arguments

gcusello — Wed, 16 Nov 2022 16:24:58 GMT

Hi @pmittal,

if you're sure that you have a json format the spath command should extract all the fields, also the one you need.

If you want to extract only one field, you could follow the 5th example of the link https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Spath

Could you mask a sample of your data to share?

Ciao.

Giuseppe

Re: extracting jvm arguments

pmittal — Wed, 16 Nov 2022 17:03:40 GMT

I don't have to retrieve field value. I have to retrieve key value pair located inside field value. Either you are not getting my point or I am not getting yours at all. Please see java_cmd param value. need to get K,V pair out of it

Re: How to extract, kv pair from jvm_cmd value & print those in Splunk search?

yuanliu — Thu, 17 Nov 2022 08:46:50 GMT

@pmittal Are you thinking of kv aka extract?

| rename _raw as tmp, jvm_cmd as _raw | kv pairdelim="-" | rename D* as *

Re: How to extract, kv pair from jvm_cmd value & print those in Splunk search?

pmittal — Mon, 05 Dec 2022 10:23:04 GMT

Apologies for the delayed response. I used REX meanwhile to extract required fields but it was not a full proof solution because I should know fields to be extracted in advance which is not possible. This is where @yuanliu solution worked as expected.

One final clarification - This solution worked only if jvm_cmd is renamed as _raw. Is it possible to avoid renaming and worked directly on jvm_cmd?

Re: How to extract, kv pair from jvm_cmd value & print those in Splunk search?

yuanliu — Mon, 05 Dec 2022 19:11:01 GMT

One final clarification - This solution worked only if jvm_cmd is renamed as _raw. Is it possible to avoid renaming and worked directly on jvm_cmd?

To be honest, there were multiple times I wished that was possible but no. However, in your case, the JSON object is already in _raw. You can try your luck by simply apply | kv without any predisposition. The worst that can happen is that, in addition to possibly extracting additional fields from other JSON nodes that may contain equal-sign-separated kv pairs, some of these interfere with those pairs in jvm_cmd. So, manually test with a meaningful amount of sample. (Or ask your developer if any other fields can potentially contain equal-sign-separated pair and can potentially have overlapping keys.)