Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

separate json payload to separate events

Esky73
Builder
‎03-21-2019 06:20 AM

my search :

SEARCH...
| rex field=Message "^(?<Short>.*),\sRequestBody:\s(?<ShortMessage>[^\s]+)\".*$" 
| spath input=ShortMessage
| rename sapResponseData{}.contractAccounts{}.nameId AS NameId sapResponseData{}.contractAccounts{}.contractAccount AS ContractAccountNumber sapResponseData{}.contractAccounts{}.sapResponses{}.contractNumber AS ContractNumber sapResponseData{}.contractAccounts{}.sapResponses{}.messageId AS messageId sapResponseData{}.contractAccounts{}.sapResponses{}.messageNumber AS messageNumber sapResponseData{}.contractAccounts{}.sapResponses{}.dataset AS dataSet metadata.correlationId AS CorrelationId metadata.sendDate AS SendDate metadata.sendTime AS SendTime 
| lookup dataset_lookup.csv dataset AS dataSet OUTPUTNEW usage AS Usage
| table _time NameId ContractAccountNumber ContractNumber messageId messageNumber dataSet Usage CorrelationId SendDate SendTime

new field after split field:

{
  "sapResponseData": [
    {
      "responseOriginatedIn": "ERROR",
      "contractAccounts": [
        {
          "nameId": "ABC_999999999999999",
          "contractAccount": "888888888888",
          "sapResponses": [
            {
              "contractNumber": 999999999,
              "responseCode": "002",
              "messageId": "DEF456",
              "messageNumber": "031",
              "dataset": "002"
            },
            {
              "contractNumber": 999999999,
              "responseCode": "002",
              "messageId": "ABC123",
              "messageNumber": "094",
              "dataset": "001"
            }
          ]
        }
      ]
    }
  ],
  "metadata": {
    "correlationId": "Correlation_ID",
    "priority": "LOW",
    "sendDate": "2019-03-21",
    "sendTime": 224813
  }
}

currently sapResponses all appear in the same field in the table

How to create new events per sapResponse ? and keep metadata for all events ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Esky73
Builder
‎03-24-2019 05:24 AM

I think i figured it out with help from here :

https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html

| rex field=Message "^(?<Short>.*),\sRequestBody:\s(?<ShortMessage>[^\s]+)\".*$" 
| spath input=ShortMessage 
| rename sapResponseData{}.contractAccounts{}.* AS * metadata.* AS * sapResponseData{}.contractAccounts{}.sapResponses{}.* AS * 
| eval reading=mvzip(contractNumber, messageId) 
| eval reading=mvzip(reading, dataset) 
| eval reading=mvzip(reading, messageNumber) 
| mvexpand reading 
| makemv reading delim="," 
| eval contractNumber=mvindex(reading, 0) 
| eval messageId=mvindex(reading, 1) 
| eval messageNumber=mvindex(reading, -1) 
| eval dataset=mvindex(reading, 2) 
| lookup dataset_lookup.csv dataset OUTPUTNEW usage AS Usage 
| table _time nameId contractAccount contractNumber messageId messageNumber dataset Usage correlationId sendDate sendTime

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Esky73
Builder
‎03-24-2019 05:24 AM

I think i figured it out with help from here :

https://answers.splunk.com/answers/25653/mvexpand-multiple-multi-value-fields.html

| rex field=Message "^(?<Short>.*),\sRequestBody:\s(?<ShortMessage>[^\s]+)\".*$" 
| spath input=ShortMessage 
| rename sapResponseData{}.contractAccounts{}.* AS * metadata.* AS * sapResponseData{}.contractAccounts{}.sapResponses{}.* AS * 
| eval reading=mvzip(contractNumber, messageId) 
| eval reading=mvzip(reading, dataset) 
| eval reading=mvzip(reading, messageNumber) 
| mvexpand reading 
| makemv reading delim="," 
| eval contractNumber=mvindex(reading, 0) 
| eval messageId=mvindex(reading, 1) 
| eval messageNumber=mvindex(reading, -1) 
| eval dataset=mvindex(reading, 2) 
| lookup dataset_lookup.csv dataset OUTPUTNEW usage AS Usage 
| table _time nameId contractAccount contractNumber messageId messageNumber dataset Usage correlationId sendDate sendTime
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎03-24-2019 06:08 AM

Click Accept on your answer to close the question.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-21-2019 12:29 PM

Give this a try

 SEARCH...
 | rex field=Message "^(?<Short>.*),\sRequestBody:\s(?<ShortMessage>[^\s]+)\".*$" 
 | spath input=ShortMessage
 | rename sapResponseData{}.contractAccounts{}.* AS *  sapResponseData{}.contractAccounts{}.sapResponses{}.*  metadata.* AS *
 | lookup dataset_lookup.csv dataset OUTPUTNEW usage AS Usage
 | table _time nameId contractAccount contractNumber messageId messageNumber dataset Usage correlationId sendDate sendTime
| eval temp=mvzip(contractNumber,mvzip(messageId,mvzip(messageNumber,dataset,"|"),"|"),"|") 
| mvexpand temp | rex field=temp "(?<contractNumber>]^\|]+)\|(?<messageId>]^\|]+)\|(?<messageNumber>]^\|]+)\|(?<dataset>]^\|]+)" | fields - temp
0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎03-24-2019 05:05 AM

Hi Thanks for answering - this has no effect :

i still have the following for contractNumber,messageId,messageNumber,dataset

contractNumber  messageId   messageNumber   dataset
123456          12345       0123            001
123456          67891       4567            002
0 Karma
Reply
Solved! Jump to solution

coccyx
Path Finder
‎03-21-2019 08:03 AM

You can look into mvexpand with your JSON array to explode each event into multiples. As an alternative, Cribl allows you to pre-process events in the ingestion pipeline and we include a function called JSON Unroll which allows you to create an event per entry an a JSON array.

0 Karma
Reply
Solved! Jump to solution

Esky73
Builder
‎03-24-2019 04:49 AM

Hi - thanks - i tried mvexpand initially but that gave me a duplicate event.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...