Getting Data In

Can you help me with my search to extract and stats count a JSON field using Splunk?

harishnpandey
Explorer

Hi ,

I want a Splunk query to extract and stats count filed from JSON msg body.

For e.g:

index=abc org_name="JBL" AND app_name="contract-rules" AND space_name=Production msg="LoggingService = ContractRule, ContractId, Type = *, Status = Success"|stats count as Success by Src,Type

app_id:  6a878fd5-540e-4a28-b7ae-970e8a91b74e   
     app_name:   contract-rules 
     org_name:   JBL    
     space_name: Production 
     message_type:   OUT    
     **msg:  2018-10-04 18:27:38.302  INFO [bill-cntct-rules-v0,57a307b46ae1593b,57a307b46ae1593b,true] 18 --- [nio-8080-exec-4] c.u.f.b.c.service.CntctRuleService    : LoggingService = ContractRule, ContractId = H235678, Type = ASC, Src = JBL, Status = Success** 
     origin:     rep    
     source_instance:    2  
     source_type:    APP/PROC/WEB   
     timestamp:  1538677658302837000    
}
Tags (2)
0 Karma

harishnpandey
Explorer

alt text

Attached snippet . Current SQL allows me to result the count using stats of fields out of msg body.

Below is my msg body
msg: 2018-10-05 18:01:50.429 INFO [billing-contract-rules-v0,873b26f593081fd6,873b26f593081fd6,true] 19 --- [nio-8080-exec-3] c.u.f.b.c.service.ContractRuleService : LoggingService = ContractRule, ContractId = MY66610, Type = CAS, Src = BMX, Status = Success

0 Karma

jgbricker
Contributor

so if u put the part of my sample search below without the field=msg just prior to your pupe stats portuon it should work.

|rex “Type\s+\=\s+(?P<Type>[^\,]+)\,\s+Src\s+\=\s+(?P<Src>[^\,]+)\,”
0 Karma

jgbricker
Contributor

any luck?

0 Karma

jgbricker
Contributor

This assumes that you have msg extracted, if not drop field=msg.

index=abc org_name="JBL" AND app_name="contract-rules" AND space_name=Production msg="LoggingService = ContractRule, ContractId, Type = , Status = Success" |rex field=msg “Type\s+\=\s+(?P<Type>[^\,]+)\,\s+Src\s+\=\s+(?P<Src>[^\,]+)\,” |stats count as Success by Src,Type
0 Karma

harishnpandey
Explorer

Did not work

Error in 'SearchParser': Missing a search command before '^'. Error at position '228' of search query 'search index=abc org_name="JBL" c...{snipped} {errorcontext = (?P[^\,]+)\,\s+}'.

0 Karma

jgbricker
Contributor

hmm seems to be something with the search syntax. Can you add a screenshot?

0 Karma

harishnpandey
Explorer

Attached snippet

0 Karma

harishnpandey
Explorer

Basically I want to extract Src, Type and same want to use in my stats count

0 Karma

jgbricker
Contributor

Can you clarify what you want extracted from the message body? The rex command would likely work well but need to clarify your goal(s).

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...