Re: JSON data, unexpected value count

phanikumarcs · ‎02-08-2024

Hi,

When i want to extract the fields from JSON (below) destination,messages, inflightMessages.

This the one of the latest event:

{

  "analytics": [

     {

        "destination": "billing.events.prod",

        "messages": 0,

        "inflightMessages": 0

     },

     {

        "destination": "billing.events.dev",

        "messages": 0,

        "inflightMessages": 0

     },

     {

        "destination": "hub.values.prod",

        "messages": 0,

        "inflightMessages": 0

     },

     {

        "destination": "hub.fifo-prod",

        "messages": 0,

        "inflightMessages": 0

     }

   ]

}

This is the spl i am using:

index=myindex sourcetype=mysourcetype

| spath input=_raw

| table analytics{}.destination, analytics{}.messages, analytics{}.inflightMessages

Where i am getting in the intrested fields

"analytics{}.destination" for this when i move curser to see values and count associated, for each value showing count 2, when you search for one event.

Why this is happening what is the issue? This data generally mulesoftmq.

danielcj · ‎02-08-2024

Hello @phanikumarcs ,

The spath command is duplicating the values of this event. Please try the following not using the spath command:

index=myindex sourcetype=mysourcetype
| table analytics{}.destination, analytics{}.messages, analytics{}.inflightMessages

Thanks.

phanikumarcs · ‎02-09-2024

If you see what every i am trying its getting two same values

ITWhisperer · ‎02-09-2024

It looks like you have found 2 events in your search not 1, but your screenshot doesn't show how many events were returned. You could also look in your search log to see what is happening.

phanikumarcs · ‎02-09-2024

@danielcj @ITWhisperer
In this instance, I am utilizing the SPL. The most recent event I am obtaining is from a table, where I encounter repeated values in the 'destination field which is 2.'

index=foo sourcetype="foo" source="foo"
| spath input=_raw output=analytics path="analytics{}"
| rename "analytics{}.destination" as destination, "analytics{}.messages" as messages, "analytics{}.inflightMessages" as inflightMessages
| sort 0 -_time
| eventstats max(_time) as latestTime
| where _time = latestTime
| table destination, messages, inflightMessages

ITWhisperer · ‎02-09-2024

There is nothing in this search that ensures you only have one event - you could have two events with exactly the same _time value - try something like this

| sort 0 -_time
| head 1

phanikumarcs · ‎02-09-2024

i tried this as well earlier, may be the issue with MQ events.

ITWhisperer · ‎02-09-2024

Not sure where MQ events come into it. When you tried with sort and head 1, what did you get?

phanikumarcs · ‎02-09-2024

@ITWhisperer
in the events only 1 event getting, when you see in statistics getting same 2 values under destination in table.

ITWhisperer · ‎02-09-2024

So the data is duplicated in the raw event?

JSON data, unexpected value count

dashboard

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?