All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk For loop

arun_kant_sharm
Path Finder
‎12-04-2019 05:52 PM

Hi Experts,

Below is the JSON format input of my data, I want to fetch LoadBalancer name from metric_dimensions fields, but the position of Load balancer is differ in both field.

I don't know how to create for loop with break in SPL, please suggest how I achieve this.

{ [-]
Average: 0.5441528732026144
Maximum: 14.997758
Minimum: 0.000371
SampleCount: 1530
Sum: 832.553896
Unit: Seconds
account_id: 522995424064
metric_dimensions: LoadBalancer=[app/nonprod-web-in-alb/bXXXXXXXXXXXXXX]
metric_name: TargetResponseTime
period: 300
timestamp: 2019-12-05T01:25:00Z
}

{ [-]
Average: 0.6173158354037267
Maximum: 10.601669
Minimum: 0.000397
SampleCount: 644
Sum: 397.551398
Unit: Seconds
account_id: 522995424064
metric_dimensions: AvailabilityZone=[ap-northeast-1d],LoadBalancer=[app/nonprod-web-in-alb/bXXXXXXXXXXXXXX],TargetGroup=[targetgroup/preprod-portals-perf-443/aXXXXXXXXXXXXX]
metric_name: TargetResponseTime
period: 300
timestamp: 2019-12-05T01:25:00Z
}

Tags (2)
0 Karma
Reply

to4kawa
Ultra Champion
‎12-05-2019 07:46 AM 
| makeresults 
| eval raw="[{\"Average\": 0.5441528732026144,
\"Maximum\": 14.997758,
\"Minimum\": 0.000371,
\"SampleCount\": 1530,
\"Sum\": 832.553896,
\"Unit\": \"Seconds\",
\"account_id\": 522995424064,
\"metric_dimensions\": \"LoadBalancer=[app/nonprod-web-in-alb/bXXXXXXXXXXXXXX]\",
\"metric_name\": \"TargetResponseTime\",
\"period\": 300,
\"timestamp\": \"2019-12-05T01:25:00Z\"},
{\"Average\": 0.6173158354037267,
\"Maximum\": 10.601669,
\"Minimum\": 0.000397,
\"SampleCount\": 644,
\"Sum\": 397.551398,
\"Unit\": \"Seconds\",
\"account_id\": 522995424064,
\"metric_dimensions\": \"AvailabilityZone=[ap-northeast-1d],LoadBalancer=[app/nonprod-web-in-alb/bXXXXXXXXXXXXXX],TargetGroup=[targetgroup/preprod-portals-perf-443/aXXXXXXXXXXXXX]\"
\"metric_name\": \"TargetResponseTime\",
\"period\": 300,
\"timestamp\": \"2019-12-05T01:25:00Z\"}]"
| spath input=raw 
| mvexpand {}.Average
| streamstats count
| foreach {}.*
    [| rename <<FIELD>> as <<MATCHSTR>>
    | eval <<MATCHSTR>> = if(mvcount('<<MATCHSTR>>')=1,'<<MATCHSTR>>',mvindex('<<MATCHSTR>>',count - 1))   ]
| eval _raw=metric_dimensions
| kv
| fields - _* , raw
| eval source="ApplicationELB"
| table source metric_dimensions LoadBalancer Average Unit

Hi, folks.
streamstats and foreach are useful.

Reply

woodcock
Esteemed Legend
‎12-05-2019 07:51 AM

I just bookmarked it.

0 Karma
Reply

to4kawa
Ultra Champion
‎12-05-2019 08:13 AM

Thank you very much @woodcock.

I look forward to working with you.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-05-2019 08:23 AM

Any time. What do you have cooking?

0 Karma
Reply

to4kawa
Ultra Champion
‎12-06-2019 02:51 AM

JSON etc...

0 Karma
Reply

woodcock
Esteemed Legend
‎12-05-2019 07:50 AM

This is a GREAT answer.

0 Karma
Reply

woodcock
Esteemed Legend
‎12-04-2019 06:11 PM

You should be able to add | spath to your search and get all of your fields (also try eval foo=spath()) but if it is not valid JSON, try this:

| makeresults 
|  eval raw="Fee Fie Fo Fum {Average: 0.5441528732026144
Maximum: 14.997758
Minimum: 0.000371
SampleCount: 1530
Sum: 832.553896
Unit: Seconds
account_id: 522995424064
metric_dimensions: LoadBalancer=[app/nonprod-web-in-alb/bXXXXXXXXXXXXXX]
metric_name: TargetResponseTime
period: 300
timestamp: 2019-12-05T01:25:00Z
} foo bar bat:::Fee Fie Fo Fum {Average: 0.6173158354037267
Maximum: 10.601669
Minimum: 0.000397
SampleCount: 644
Sum: 397.551398
Unit: Seconds
account_id: 522995424064
metric_dimensions: AvailabilityZone=[ap-northeast-1d],LoadBalancer=[app/nonprod-web-in-alb/bXXXXXXXXXXXXXX],TargetGroup=[targetgroup/preprod-portals-perf-443/aXXXXXXXXXXXXX]
metric_name: TargetResponseTime
period: 300
timestamp: 2019-12-05T01:25:00Z
} foo bar bat"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex mode=sed "s/.*{Average:/Average:{/ s/}.*/}/"
| kv
0 Karma
Reply

arun_kant_sharm
Path Finder
‎12-04-2019 06:40 PM

This is a valid JSON, generated by AWS Cloudwatch.

I am using the below SPL:
sourcetype=aws:cloudwatch
| spath path=SampleCount
| spath path=metric_dimensions
| spath path=metric_name
| spath path=timestampe
| search source = "*ApplicationELB" AND metric_name= TargetResponseTime | where Average > 0.3 | eval LoadBalancer = mvindex(split(metric_dimensions,","), 1) | table source metric_dimensions LoadBalancer Average Unit

But using above SPL LoadBalancer are populate empty for some events, because I pass 1 in mvindex, so do you now any way to iterate in the output of split function ?

0 Karma
Reply

vmacedo
Explorer
‎12-05-2019 06:21 AM

@arun_kant_sharma, instead of using mvindex/split use split to create a multivalue field and mvfilter to get the LoadBalancer wherever it is:

sourcetype=aws:cloudwatch
| spath path=SampleCount
| spath path=metric_dimensions
| spath path=metric_name
| spath path=timestampe
| search source = "*ApplicationELB" AND metric_name= TargetResponseTime | where Average > 0.3 | eval LoadBalancer = mvfilter(match(split(metric_dimensions,","),"LoadBalancer") | table source metric_dimensions LoadBalancer Average Unit

0 Karma
Reply
Get Updates on the Splunk Community!

Get Schooled with Splunk Education: Explore Our Latest Courses

At Splunk Education, we’re dedicated to providing incredible learning experiences that cater to every skill ...

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top