Getting Data In

where is not working with JSON extracted with spath

New Member

Hello there,

I have the next JSON:

{
  "idDeclaracion": "abc123",
  "prospecto": {
    "id": "1111",
    "edad": 24,
    "nombre": "jaime",
    "ubicacion": {
      "direccion": "CL 61",
      "barrio": "Los colores"
    }
  },
  "decisiones": [
    "aprobar",
    "declinar",
    "extraprimar"
  ],
  "exitoso": true
}

I want to filter those events where prospecto.id="1111" and i have tried two ways:

  1. index=idx_eml_err | spath input=message | search prospecto.id="1111"
  2. index=idx_eml_err | spath input=message | where prospecto.id="1111"

Option 1 works well, but option 2 does not. Can somebody please explain me this behavior?

To have in mind, the next query works well: index=idx_eml_err | spath input=message | where idDeclaracion="abc123". The difference between the last query and 2, is that 2 is using the where with a nested field.

Thanks!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

@ivykp,

This should work for you

index=idx_eml_err | spath input=message |where 'prospecto.id'="1111"

where command returns only the results for which the eval expression returns true. These eval-expressions must be Boolean expressions, where the expression returns either true or false. In the json filed, by adding a ' around the field makes it as literal field name

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@ivykp,

This should work for you

index=idx_eml_err | spath input=message |where 'prospecto.id'="1111"

where command returns only the results for which the eval expression returns true. These eval-expressions must be Boolean expressions, where the expression returns either true or false. In the json filed, by adding a ' around the field makes it as literal field name

View solution in original post

0 Karma
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!