Solved: AND Operator in JSON

belicoff · ‎10-31-2017

I have a Log System which Logs in JSON Format Like these:
{
"API_Name": "Get ID Cards",
"End Point": "/write/api/v1.1/sequoiauser/idcards",
"UserID": "ABC-123",
"Response": "",
"Error": "Logos attachment retrieval Failed"
}

{
"API_Name": "Get ID Cards",
"End Point": "/write/api/v1.1/sequoiauser/idcards",
"UserID": "XYZ-123",
"Response": "{"url" : "http://some-url"}",
"Error" : null
}

Now I want to view all documents where UserID is "ABC-123" and API_Name is "Get ID Cards".
Can anyone let me know how to achieve this?
I have added KV_MODE as json.

"API_Name" : "Get ID Cards" AND "UserID" : "ABC-123" query list even the doc which has "UserID" : "XYZ-123"

alemarzu · ‎10-31-2017

Hi there @belicoff

Try like this.

your search | where UserID="ABC-123" AND API_Name="Get ID Cards"

View solution in original post

alemarzu · ‎10-31-2017

Hi there @belicoff

Try like this.

your search | where UserID="ABC-123" AND API_Name="Get ID Cards"

belicoff · ‎10-31-2017

Thanks, It Worked

AND Operator in JSON

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

AND Operator in JSON

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...