Join the Conversation
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- In a dashboard query, how do you use a JSON field ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have some data which is changing from a delimited format to JSON. In a dashboard, I have a query that for the old format would do this:
sourcetype=oldformat | eval blocked = if(fieldname=="BLOCKED",1,0)
However, trying this against the JSON it doesn't work right.
sourcetype=newformat | eval blocked =if (a.b.fieldname=="BLOCKED", 1,0)
But this doesn't seem to work ... all records evaluate to 0. I test this out, I ran the following, which was just bizarre:
sourcetype=newformat a.b.fieldname="BLOCKED" | eval blocked =if (a.b.fieldname=="BLOCKED", 1,0) | chart count by a.b.fieldname, blocked
The result table looked like this:
a.b.fieldname 0
BLOCKED 45
So it was able to search by the field name (it found only the correct records out of millions) and it shows the correct value (BLOCKED) ... but the if statement that works fine when not looking at JSON seems to be broken with the JSON.
Any ideas?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ShagVT ,
Add ' to the fieldname to make it as literal and then do the comparison.
Try
sourcetype=newformat | eval blocked =if ('a.b.fieldname'=="BLOCKED", 1,0)
Or
Rename the field and compare
sourcetype=newformat|rename a.b.fieldname as fieldname |eval blocked =if (fieldname =="BLOCKED", 1,0)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ShagVT ,
Add ' to the fieldname to make it as literal and then do the comparison.
Try
sourcetype=newformat | eval blocked =if ('a.b.fieldname'=="BLOCKED", 1,0)
Or
Rename the field and compare
sourcetype=newformat|rename a.b.fieldname as fieldname |eval blocked =if (fieldname =="BLOCKED", 1,0)
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Both of these ideas were successful. THANK YOU!
So is this basically a bug in Splunk's evaluation of conditional functions?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
did you see a.b.fieldname as a interesting field in your JSON data..??
can you post a sample of you json data..??
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
