Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Iterate the extraction of json objects using Splunk query language

lpolo
Motivator
‎02-03-2014 09:30 AM

Is there an example that shows how to iterate the extraction of json objects using Splunk query language?

The spath command documentation shows an example but it is only for 2 key names

http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Spath

I need to create a splunk query construct that iterates the json objects found in the following log event and then aggregate as follow:

Splunk main construct |stats sum(total) as total sum(Fails) as Fails sum(TimeOuts) as TimeOuts by client

Is there a way to do it in Splunk query language?

Json event:

[
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "hello.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "HYO.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
]

Thanks ,
Lp

Tags (1)
0 Karma
Reply

yannK
Splunk Employee
Splunk Employee
‎02-18-2014 12:00 PM

As another approach, because you have nice json events with a timestamp, and no sub level json.
Why not defining a sourcetype that will break your json in events each time you reach a new line with "{"
then you will have all your events separated, and can use spath to get your fields extracted.

example : http://answers.splunk.com/answers/80741/event-break-json

Reply

lpolo
Motivator
‎02-26-2014 05:51 AM

I can assure you that my regex is correct.

0 Karma
Reply

lpolo
Motivator
‎02-19-2014 07:16 AM

yannK,

I think that the problem is that the json objects are not split into events. Therefore, any aggregation function will not work as expected.

0 Karma
Reply

lpolo
Motivator
‎02-19-2014 06:39 AM

yannK,

Now, I am able to extract all the json key values as expected. However, I cannot aggregate using the stats function example presented in the question. The results are incorrect. Any idea?

0 Karma
Reply

lpolo
Motivator
‎02-19-2014 05:05 AM

Thanks.
I should have thought about this solution.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

How to find the worst searches in your Splunk environment and how to fix them

Everyone knows Splunk is a powerful platform for running searches and doing data analytics. Your ...

Share Your Feedback: On Admin Config Service (ACS)!

Help Us Build a Better Admin Config Service Experience (ACS)   We Want Your Feedback on Admin Config Service ...