Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk - how to filter json search results

evanxu
Explorer
‎07-20-2020 07:01 AM

My splunk search returns one event as below: notice agent data is in a nested json format.  agentName and agentSwitch are nested fields within agent.  

testsplunk.JPG

I would like to filter within this result so that the output would only display 

agentName = "ether" and agentSwitchName="soul".   

 

I have tried to filter using spath and table but each time it would return ALL agentNames, how can i correctly filter the output?  

My search | spath | table environemnt, agent{}.agentName | search agent{}.agentName="ether"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎07-20-2020 02:36 PM

My search | spath agent{} output=agent

| mvexpand agent | spath input=agent | search agentName="ether"

Reply

evanxu
Explorer
‎07-21-2020 07:42 PM

Hi @to4kawa , thank you, i have one more request, 
my search correctly returns agent ether, however, it also returns all agent switch names even though I specified agentSwitchName "soul".   I think this has to do with agentSwitchName being nested within agent.   Could you help ?

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 02:38 AM

I don't know your log. I can't do that.

0 Karma
Reply

evanxu
Explorer
‎07-22-2020 05:07 AM

The json screenshot is the result of my search, it returns a single event with nested json.   I am attempting to reformat/filter the event output to show only agentName: ether and agentSwitchName: soul, preferably in a tabular format. 

testsplunk.JPG

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"  | table agentName, agentSwitchName

However instead of getting "soul" only, I am getting both "infinity" and "soul", so it looks like 

current.JPG

This is the output I really want: 

target.JPG

Thank you

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 06:42 AM

you can do it, I can't do it by only sample pics.


0 Karma
Reply

spitchika
Path Finder
‎07-22-2020 08:07 AM
 
 
Hi, 

Best thing I do in this situation is changing log display format to "Raw" and capture correct left and right boundaries with rex command. (If require max_match option). Right now default json view would be "List" view.

spitchika_0-1595430181338.png

 

Reply

evanxu
Explorer
‎07-26-2020 07:07 PM

Thank you for the hint.    I tried to add the clause below and the data returned correctly.  

| rename data as _raw
| extract

0 Karma
Reply

spitchika
Path Finder
‎07-27-2020 07:47 AM 
Perfect!! Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

CX Day is Coming!

Customer Experience (CX) Day is on October 7th!! We're so excited to bring back another day full of wonderful ...

Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!

The Big One: Splunk 10 is Here!  The moment many of you have been waiting for has arrived! We are thrilled to ...

Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console

Today, we’re excited to announce the release of a brand new AI assistant usage dashboard in Cloud Monitoring ...