Getting Data In
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk - how to filter json search results

evanxu
Explorer
‎07-20-2020 07:01 AM

My splunk search returns one event as below: notice agent data is in a nested json format.  agentName and agentSwitch are nested fields within agent.  

testsplunk.JPG

I would like to filter within this result so that the output would only display 

agentName = "ether" and agentSwitchName="soul".   

 

I have tried to filter using spath and table but each time it would return ALL agentNames, how can i correctly filter the output?  

My search | spath | table environemnt, agent{}.agentName | search agent{}.agentName="ether"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎07-20-2020 02:36 PM

My search | spath agent{} output=agent

| mvexpand agent | spath input=agent | search agentName="ether"

Reply

evanxu
Explorer
‎07-21-2020 07:42 PM

Hi @to4kawa , thank you, i have one more request, 
my search correctly returns agent ether, however, it also returns all agent switch names even though I specified agentSwitchName "soul".   I think this has to do with agentSwitchName being nested within agent.   Could you help ?

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 02:38 AM

I don't know your log. I can't do that.

0 Karma
Reply

evanxu
Explorer
‎07-22-2020 05:07 AM

The json screenshot is the result of my search, it returns a single event with nested json.   I am attempting to reformat/filter the event output to show only agentName: ether and agentSwitchName: soul, preferably in a tabular format. 

testsplunk.JPG

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"  | table agentName, agentSwitchName

However instead of getting "soul" only, I am getting both "infinity" and "soul", so it looks like 

current.JPG

This is the output I really want: 

target.JPG

Thank you

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 06:42 AM

you can do it, I can't do it by only sample pics.


0 Karma
Reply

spitchika
Path Finder
‎07-22-2020 08:07 AM
 
 
Hi, 

Best thing I do in this situation is changing log display format to "Raw" and capture correct left and right boundaries with rex command. (If require max_match option). Right now default json view would be "List" view.

spitchika_0-1595430181338.png

 

Reply

evanxu
Explorer
‎07-26-2020 07:07 PM

Thank you for the hint.    I tried to add the clause below and the data returned correctly.  

| rename data as _raw
| extract

0 Karma
Reply

spitchika
Path Finder
‎07-27-2020 07:47 AM 
Perfect!! Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Brett Adams

In our third Spotlight feature, we're excited to shine a light on Brett—a Splunk consultant, innovative ...

Index This | What can you do to make 55,555 equal 500?

April 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...
Top