Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Can you help me with my search to extract and stats count a JSON field using Splunk?

harishnpandey
Explorer
‎10-04-2018 01:39 PM

Hi ,

I want a Splunk query to extract and stats count filed from JSON msg body.

For e.g:

index=abc org_name="JBL" AND app_name="contract-rules" AND space_name=Production msg="LoggingService = ContractRule, ContractId, Type = *, Status = Success"|stats count as Success by Src,Type

app_id:  6a878fd5-540e-4a28-b7ae-970e8a91b74e   
     app_name:   contract-rules 
     org_name:   JBL    
     space_name: Production 
     message_type:   OUT    
     **msg:  2018-10-04 18:27:38.302  INFO [bill-cntct-rules-v0,57a307b46ae1593b,57a307b46ae1593b,true] 18 --- [nio-8080-exec-4] c.u.f.b.c.service.CntctRuleService    : LoggingService = ContractRule, ContractId = H235678, Type = ASC, Src = JBL, Status = Success** 
     origin:     rep    
     source_instance:    2  
     source_type:    APP/PROC/WEB   
     timestamp:  1538677658302837000    
}
Tags (2)
0 Karma
Reply

harishnpandey
Explorer
‎10-05-2018 11:11 AM

alt text

Attached snippet . Current SQL allows me to result the count using stats of fields out of msg body.

Below is my msg body
msg: 2018-10-05 18:01:50.429 INFO [billing-contract-rules-v0,873b26f593081fd6,873b26f593081fd6,true] 19 --- [nio-8080-exec-3] c.u.f.b.c.service.ContractRuleService : LoggingService = ContractRule, ContractId = MY66610, Type = CAS, Src = BMX, Status = Success

Preview file
130 KB
0 Karma
Reply

jgbricker
Contributor
‎10-05-2018 02:02 PM

so if u put the part of my sample search below without the field=msg just prior to your pupe stats portuon it should work.

|rex “Type\s+\=\s+(?P<Type>[^\,]+)\,\s+Src\s+\=\s+(?P<Src>[^\,]+)\,”
0 Karma
Reply

jgbricker
Contributor
‎10-09-2018 02:00 AM

any luck?

0 Karma
Reply

jgbricker
Contributor
‎10-04-2018 06:22 PM

This assumes that you have msg extracted, if not drop field=msg.

index=abc org_name="JBL" AND app_name="contract-rules" AND space_name=Production msg="LoggingService = ContractRule, ContractId, Type = , Status = Success" |rex field=msg “Type\s+\=\s+(?P<Type>[^\,]+)\,\s+Src\s+\=\s+(?P<Src>[^\,]+)\,” |stats count as Success by Src,Type
0 Karma
Reply

harishnpandey
Explorer
‎10-05-2018 07:51 AM

Did not work

Error in 'SearchParser': Missing a search command before '^'. Error at position '228' of search query 'search index=abc org_name="JBL" c...{snipped} {errorcontext = (?P[^\,]+)\,\s+}'.

0 Karma
Reply

jgbricker
Contributor
‎10-05-2018 08:45 AM

hmm seems to be something with the search syntax. Can you add a screenshot?

0 Karma
Reply

harishnpandey
Explorer
‎10-05-2018 11:25 AM

Attached snippet

0 Karma
Reply

harishnpandey
Explorer
‎10-04-2018 03:12 PM

Basically I want to extract Src, Type and same want to use in my stats count

0 Karma
Reply

jgbricker
Contributor
‎10-04-2018 02:06 PM

Can you clarify what you want extracted from the message body? The rex command would likely work well but need to clarify your goal(s).

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...