Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I extract only some portions of a json event?

edeca
New Member
‎01-08-2013 03:22 AM

I have some json events which look similar to the example below. Key to my question is the events[] array which contains a number of things of interest.

I can summarise all data neatly using filters such as | top events{}.command but I'd like to be able to do statistics and time graphing on only those events where type="request". I have looked at spath and I'm uncertain it is what I need, but I am happy to be corrected.

How can I select only the request events and do further processing on them?

An example of the json (this is interpreted fine by Splunk and it parses out the fields correctly):


{[-]
id : "guidguidguid",
events : [
{[-]
type : "request",
command : "jump",
args : "10",
... more ...
},
{[-]
type : "response",
command : "wobble",
args : "20",
... more ...
}
{[-]
type : "response",
command : "run",
args : "10",
... more ...
}
... more ...
],
.. other key-value pairs and arrays ..
}

There may be multiple request/response sections per Splunk event, or there might just be requests or just responses.

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-08-2013 06:16 AM

See this answer: http://splunk-base.splunk.com/answers/63559/multiple-events-and-multiple-key-value-pairs-one-being-t.... So a search for you might be:

<yoursearch>|spath|rename events{}.type as event_type|rename events{}.command AS event_command|eval x=mvzip(event_type,event_command)|mvexpand x|eval x=split(x,",")|eval evt_type=mvindex(x,0)|eval evt_cmd = mvindex(x,1)|where evt_type=="request"|stats count by evt_cmd

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

alacercogitatus
SplunkTrust
SplunkTrust
‎01-08-2013 06:16 AM

See this answer: http://splunk-base.splunk.com/answers/63559/multiple-events-and-multiple-key-value-pairs-one-being-t.... So a search for you might be:

<yoursearch>|spath|rename events{}.type as event_type|rename events{}.command AS event_command|eval x=mvzip(event_type,event_command)|mvexpand x|eval x=split(x,",")|eval evt_type=mvindex(x,0)|eval evt_cmd = mvindex(x,1)|where evt_type=="request"|stats count by evt_cmd

0 Karma
Reply
Solved! Jump to solution

edeca
New Member
‎01-09-2013 01:48 AM

This works great where I just need two of the values from the original data, thanks.

Perhaps a better long term solution is to change the data input format so they form distinct Splunk events.

0 Karma
Reply
Get Updates on the Splunk Community!

Thanks for the Memories! Splunk University, .conf24, and Community Connections

Thank you to everyone in the Splunk Community who joined us for .conf24 – starting with Splunk University and ...

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...