Getting Data In

where is not working with JSON extracted with spath

ivykp
New Member

Hello there,

I have the next JSON:

{
  "idDeclaracion": "abc123",
  "prospecto": {
    "id": "1111",
    "edad": 24,
    "nombre": "jaime",
    "ubicacion": {
      "direccion": "CL 61",
      "barrio": "Los colores"
    }
  },
  "decisiones": [
    "aprobar",
    "declinar",
    "extraprimar"
  ],
  "exitoso": true
}

I want to filter those events where prospecto.id="1111" and i have tried two ways:

  1. index=idx_eml_err | spath input=message | search prospecto.id="1111"
  2. index=idx_eml_err | spath input=message | where prospecto.id="1111"

Option 1 works well, but option 2 does not. Can somebody please explain me this behavior?

To have in mind, the next query works well: index=idx_eml_err | spath input=message | where idDeclaracion="abc123". The difference between the last query and 2, is that 2 is using the where with a nested field.

Thanks!

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@ivykp,

This should work for you

index=idx_eml_err | spath input=message |where 'prospecto.id'="1111"

where command returns only the results for which the eval expression returns true. These eval-expressions must be Boolean expressions, where the expression returns either true or false. In the json filed, by adding a ' around the field makes it as literal field name

Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@ivykp,

This should work for you

index=idx_eml_err | spath input=message |where 'prospecto.id'="1111"

where command returns only the results for which the eval expression returns true. These eval-expressions must be Boolean expressions, where the expression returns either true or false. In the json filed, by adding a ' around the field makes it as literal field name

Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...

Cloud Platform | Migrating your Splunk Cloud deployment to Python 3.7

Python 2.7, the last release of Python 2, reached End of Life back on January 1, 2020. As part of our larger ...