Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How do you do a spath search that would search...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to acquire some input for SPL parsing a JSON file using the |spath command. Here is an example of my JSON format.
{
"ip": "10.1.1.2",
"hostname": "Switch_1",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": false,
"ConnType": "cisco_ios",
"version": "15.2(2)E6",
"chassis_model": "WS-C2960",
"chassis_sn": "G0T1635R11M",
"slot_list": [
{
"sn": "G0T1635R11M",
"slot": "1",
"model": "WS-C2960"
}
],
{
"ip": "10.1.1.3",
"hostname": "Switch_2",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": true,
"ConnType": "cisco_ios",
"version": "12.2(55)SE12",
"chassis_model": "WS-C2960S-48FPS-L",
"chassis_sn": "F0R1524Q11L",
"slot_list": [
{
"sn": "F0R1524Q11L",
"slot": "1",
"model": "WS-C2960S-48FPS-L"
}
],
==========================================================================
I need to focus on the model (chassis_model) with a correlation to the IOS (version). I know that I could add a spath statement and then a search statement for chassis_model and version, but how do I incorporate multiple searches for chassis_model and version.
Index=new dev_type=switch sourcetype="_json" ("WS-C2960*")
ping!=false last_status="connected" earliest =-1d@d latest=now
| spath version
| search version="12.2(55)SE12"
I need to be able to search for multiple switch revisions of the same switch running different IOS versions. This will work at the beginning of the search ** ("WS-C2960*" version="12.2(55)SE12") OR ("WS-C2960S*" version!="15.2(2)E6)** However, I want to be able to use spath as the search flow is easier to follow when dealing with a vast array of equipment.
*this I know will not work but how can something similar work with an spath SPL statement?
| spath
| search "WS-C2960S*" version!="15.2(2)E9"
| spath
| search "WS-C2960*" version="12.2(55)SE12"
| dedup ip
Thank You
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using an OR clause in between:
| spath
| search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
| dedup ip
Spath should generate a field as well for that query, defining search based on field is much faster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using an OR clause in between:
| spath
| search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
| dedup ip
Spath should generate a field as well for that query, defining search based on field is much faster
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Can we use regular expression in search field after spath ? I am stuck in the similar kind of situation. I retrieved JSON object, after that I am looking for a particular string with different formats (alphaNumeric). Those are actually data anomalies.
Could you please provide your advise on how do we incorporate regex in search field ? I tried, but could not come to the solution.
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Unlock What’s Next: The Splunk Cloud Platform at .conf25
