Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Lookup display_name from an id in nested json

stephencrim
Engager
‎04-19-2018 08:03 AM

I have some JSON events coming in via the HTTP Event collector. One of the elements within it has an 'owner_id', which references another element in the event called 'users' which has multiple child elements containing 'id' and 'display_name'. I'm trying to eval a new field 'owner_display_name' for each event matching the 'display_name' whose 'id' matches 'owner_id'.

Sample JSON:

{   
     deal:  {   
        }   
         name:  test    
         owner_id:   2000066958 
    }
     users: [   
        {
         display_name:   John Doe
         email:  jdoe@foobar.com    
         id:     2000066958 
         is_active:  true   
         mobile_number:  null   
         work_number:    null   
        }   
    ]   
}

I've been trying to use spath and various mv functions, but none of them seem quite as straightforward as I would think this should be. What I'm essentially looking for is an inline lookup that uses an mv field within the event to eval a new field based on some conditional logic. I've been able to grab the first element from the users field, and that is pretty close, but assumes that the owner is the first user in the list, and there's no guarantee that will always be the case.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephencrim
Engager
‎04-26-2018 10:58 AM

Our temporary resolution to this was to simply do the lookup in python prior to sending the json to Splunk.

What we're looking at longer term is to create some lookup kvstores and populate those periodically from a splunk search on the same event data. This will give us the lookup tables for the data we need to evaluate at search time and not have to do all of this preprocessing every time we decide we want a new field populated for a report.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

stephencrim
Engager
‎04-26-2018 10:58 AM

Our temporary resolution to this was to simply do the lookup in python prior to sending the json to Splunk.

What we're looking at longer term is to create some lookup kvstores and populate those periodically from a splunk search on the same event data. This will give us the lookup tables for the data we need to evaluate at search time and not have to do all of this preprocessing every time we decide we want a new field populated for a report.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...