Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Platform
- :
- Splunk Enterprise
- :
- Re: Return events based on nested JSON
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Return events based on nested JSON
Hi,
This is a call log where a participant joined a conference call with audio and video. For example: I want to find all events where rx_packet_loss>1.0 on the video stream.
I don't want any search results based on the element where stream_type=audio in this case.
Been trying to look for answers on my own, but I don't know where to start.
{
"protocol": "WebRTC",
"disconnect_reason": "User initiated disconnect",
"media_streams": [
{
"rx_packet_loss": 1.5,
"stream_type": "video",
"tx_packet_loss": 0.0,
"id": 585785,
},
{
"rx_packet_loss": 0.0,
"stream_type": "audio",
"tx_packet_loss": 0.0,
"id": 585786,
}
],
"bandwidth": 512,
"local_alias": "meet.company.2@domain.com",
"call_direction": "in",
"remote_alias": "User 1",
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can guarantee order of the fields in media streams, you could use a regular expression to extract the video packet loss as a field, and then filter based on that field:
<> | rex "\"rx_packet_loss\"\s*:\s*(?<video_rx_packetloss>\d+\.\d+)\s*,\s*\"stream_type\"\s*:\s*\"video\"" | where video_rx_packetloss >= 1
Otherwise using some of the multi-valued eval functions, you can combine corresponding stream_type and rx_packet_loss values into a single value ( mvzip), keep only the where stream_type is video ( mvfilter + match), extract out the corresponding rx_packet_loss value ( split + mvindex) and then filter events based on that value.
<> | eval rxloss=mvzip('media_streams{}.stream_type','media_streams{}.rx_packet_loss'),rxloss=mvindex(split(mvfilter(match(rxloss,"^video,")),","),1)| where rxloss >= 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HI @tsushi,
To work with JSON events generally spath, mvzip, mvexpand & many other multivalued functions will be useful. As part of searching specific events within your provided JSON I think this search will work. Can you please try it?
YOUR_SEARCH | rename media_streams{}.id as id, media_streams{}.rx_packet_loss as rx_packet_loss, media_streams{}.stream_type as stream_type, media_streams{}.tx_packet_loss as tx_packet_loss | eval temp = mvzip(mvzip(mvzip(id,rx_packet_loss),stream_type),tx_packet_loss) | stats count by _time,protocol,disconnect_reason,bandwidth,local_alias,call_direction,remote_alias,temp | eval id=mvindex(split(temp,","),0),rx_packet_loss =mvindex(split(temp,","),1), stream_type=mvindex(split(temp,","),2),tx_packet_loss =mvindex(split(temp,","),3) | where rx_packet_loss>1.0 AND stream_type="video"
Check below link for more informations:
https://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/MultivalueEvalFunctions
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Spath
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/Mvexpand
Thanks
Community Content Calendar, September edition
Splunkbase Unveils New App Listing Management Public Preview
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
