Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I deserialize a JSON string to be shown as Event?

arminbashizade
Engager
‎05-25-2021 10:05 AM

I've created a dashboard for searching and filtering events, and it consists of two panels for presenting the results:

  1. a table to show a summary of the events based on search criteria, columns are: Time, CorrelationId, Service Name, Log Level, and Message, which are shared attributes among all events
  2. an Events panel to show the entirety of an event, which includes attributes that are specific to an event and are not shared with other events, e.g. Stack Trace for errors

the table's drilldown is set to "row", and when a row is clicked it sets some tokens that are used to search again to find that event and show it on the Events panel.

My goal is to avoid the second search, because the event is already retrieved by the table panel.

I've tried passing _raw from table panel to events panel and use makeresults but that command creates a table row and can only be viewed under Statistics/Table tab and does not show anything when Events/List tab is selected. What I need is to view the event in the format that is shown in the screenshot below:

arminbashizade_0-1621441676858.png

I know that renaming a JSON to _raw will deserialize it, but that requires a result-set of events to begin with, e.g.

 

 

 

* | head 1 | eval tmp="{\"key\":\"value\"}" | rename tmp as _raw

 

 

 

will show the new JSON instead of the original event

arminbashizade_1-1621443045190.png

but the below query with makeresults does not give the same result:

 

 

 

| makeresults | eval tmp="{\"key\":\"value\"}" | rename tmp as _raw

 

 

 

 

arminbashizade_2-1621443109487.png

only Statistics tab shows results.

 

To summarize, I want to get the event in the format that can be seen in the first screenshot above, but without running a search, because I already have the entire event, including its _raw.

Any help is appreciated!

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

arminbashizade
Engager
‎05-28-2021 10:56 AM

Thanks @ITWhisperer ! That helped with finding the answer. I can't pass the job id from the table result, because the result is still a table and does not include events. However, I can have both panels share the same job.

I created another panel and hid it. This hidden panel runs the same search as the table panel, but without the last " | table ..." command, so that I can have a result set of events. Then I changed both table and panel event to load that job and search through that.

The table panel uses a query like this:

| loadjob $job_id$ | table Time, Level, Message,...

And events panel uses a query like this:

| loadjob $job_id$ | search EventId=$selected_event_id$

 

Note that if the hidden panel search does not extract the fields you're going to use when you load the job, you need to add "spath" after "loadjob", e.g.

| loadjob $job_id$ | spath | table Time,...

 

see this question for how to store job id in a token: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-get-search-ID-job-sid-from-XML-dash...

for hiding a panel:

<panel depends="$always_hide$">
</panel>

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-28-2021 11:57 AM

@arminbashizade 

loadjob will work on single search head but on cluster it might now work.

A search head cluster can run the loadjob command only on scheduled saved searches. A search head cluster runs searches on results or artifacts that the search head cluster replicates.

So for safe side  just verify your dashboard on cluster as well. 

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Loadjob#Search_head_cluster...

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-28-2021 02:47 AM

Have you tried saving the the job id in a token and passing that in the drilldown and using loadjob to retrieve the results?

Reply
Solved! Jump to solution
Solution

arminbashizade
Engager
‎05-28-2021 10:56 AM

Thanks @ITWhisperer ! That helped with finding the answer. I can't pass the job id from the table result, because the result is still a table and does not include events. However, I can have both panels share the same job.

I created another panel and hid it. This hidden panel runs the same search as the table panel, but without the last " | table ..." command, so that I can have a result set of events. Then I changed both table and panel event to load that job and search through that.

The table panel uses a query like this:

| loadjob $job_id$ | table Time, Level, Message,...

And events panel uses a query like this:

| loadjob $job_id$ | search EventId=$selected_event_id$

 

Note that if the hidden panel search does not extract the fields you're going to use when you load the job, you need to add "spath" after "loadjob", e.g.

| loadjob $job_id$ | spath | table Time,...

 

see this question for how to store job id in a token: https://community.splunk.com/t5/Dashboards-Visualizations/How-to-get-search-ID-job-sid-from-XML-dash...

for hiding a panel:

<panel depends="$always_hide$">
</panel>

 

0 Karma
Reply
Solved! Jump to solution

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-28-2021 02:26 AM

@arminbashizade 

Bcoz here we have an event to replace _raw with new values. 

 

* | head 1 | eval tmp="{\"key\":\"value\"}" | rename tmp as _raw

 

will show the new JSON instead of the original event

 

 

but the below query with makeresults does not give the same result:

 

| makeresults | eval tmp="{\"key\":\"value\"}" | rename tmp as _raw

 

 

Well  with this search, you can not see events in event tab bcoz makeresults it will generate results which you can see in statistics tab not event. 

But with the makeresults you can have fields. Try this, 

 

| makeresults | eval _raw="{\"key\":\"value\"}"| extract

 

If you need exact representations of an event then use below search.

 

* | head 1 | eval _raw="{\"key\":\"value\"}"

 

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...