Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do you do a spath search that would search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to acquire some input for SPL parsing a JSON file using the |spath command. Here is an example of my JSON format.
{
"ip": "10.1.1.2",
"hostname": "Switch_1",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": false,
"ConnType": "cisco_ios",
"version": "15.2(2)E6",
"chassis_model": "WS-C2960",
"chassis_sn": "G0T1635R11M",
"slot_list": [
{
"sn": "G0T1635R11M",
"slot": "1",
"model": "WS-C2960"
}
],
{
"ip": "10.1.1.3",
"hostname": "Switch_2",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": true,
"ConnType": "cisco_ios",
"version": "12.2(55)SE12",
"chassis_model": "WS-C2960S-48FPS-L",
"chassis_sn": "F0R1524Q11L",
"slot_list": [
{
"sn": "F0R1524Q11L",
"slot": "1",
"model": "WS-C2960S-48FPS-L"
}
],
==========================================================================
I need to focus on the model (chassis_model) with a correlation to the IOS (version). I know that I could add a spath statement and then a search statement for chassis_model and version, but how do I incorporate multiple searches for chassis_model and version.
Index=new dev_type=switch sourcetype="_json" ("WS-C2960*")
ping!=false last_status="connected" earliest =-1d@d latest=now
| spath version
| search version="12.2(55)SE12"
I need to be able to search for multiple switch revisions of the same switch running different IOS versions. This will work at the beginning of the search ** ("WS-C2960*" version="12.2(55)SE12") OR ("WS-C2960S*" version!="15.2(2)E6)** However, I want to be able to use spath as the search flow is easier to follow when dealing with a vast array of equipment.
*this I know will not work but how can something similar work with an spath SPL statement?
| spath
| search "WS-C2960S*" version!="15.2(2)E9"
| spath
| search "WS-C2960*" version="12.2(55)SE12"
| dedup ip
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using an OR clause in between:
| spath
| search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
| dedup ip
Spath should generate a field as well for that query, defining search based on field is much faster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using an OR clause in between:
| spath
| search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
| dedup ip
Spath should generate a field as well for that query, defining search based on field is much faster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can we use regular expression in search field after spath ? I am stuck in the similar kind of situation. I retrieved JSON object, after that I am looking for a particular string with different formats (alphaNumeric). Those are actually data anomalies.
Could you please provide your advise on how do we incorporate regex in search field ? I tried, but could not come to the solution.
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
What’s New in Splunk Observability – September 2025
Fun with Regular Expression - multiples of nine
