Splunk Enterprise

spath command

VijaySrrie
Builder

Hi,

What is spath command, when to use it? Please expalin below command.

| spath input=json
 
Is there any alternative command for spath? 
When we use spath command will it consume more time ?
 
Labels (1)

isoutamo
SplunkTrust
SplunkTrust

Most common use for spath is with json. It helps to get elements and tables inside json. 
Same kind of command is xmlkv which is used to manipulate xml events. 
r. Ismo

VijaySrrie
Builder

I am creating a dashboard, 

spath is not the best practice to use in dashboard itseems, can you modify the below query with some other command?

index=indexname application=appname  sourcetype=sourcetypename  asset_env=prod  component=abc "message=Received event:"
| table json
| spath input=json output=body path=Records{}.body

|spath input=body output=requestId path=request.requestId

|stats dc(requestId)

ITWhisperer
SplunkTrust
SplunkTrust

Depending on what your data actually looks like, extracting a single value might be just as easily achieved with rex

isoutamo
SplunkTrust
SplunkTrust
Can you post your event as sample data, without it, it’s hard to help you.
And also short verbal description what you want to achieve.
0 Karma

VijaySrrie
Builder

Instead of spath command, we were asked to create Field extractions as a best practice.

inventsekar
Ultra Champion

Sure @VijaySrrie then, let us know the sample logs, which fields you want to extract, etc... please. 

 

to answer your first question about spath basics:

The spath command enables you to extract information from the structured data formats XML and JSON.

Alternatives to the spath command

If you are using autokv or index-time field extractions, the path extractions are performed for you at index time.

You do not need to explicitly use the spath command to provide a path.

If using indexed_extractions=JSON or using KV_MODE=JSON in the props.conf file, then the spath command is not necessary to explicitly use.

 

Specify the output field and a path for an XML attribute

Use the @ symbol to specify an XML attribute. Consider the following XML list of books and authors.

<?xml version="1.0">
<purchases>
   <book>
         <author>Martin, George R.R.</author>
         <title yearPublished=1996>A Game of Thrones</title>
         <title yearPublished=1998>A Clash of Kings</title>
  </book>
   <book>
         <author>Clarke, Susanna</author>
         <title yearPublished=2004>Jonathan Strange and Mr. Norrell</title>
   </book>
   <book>
         <author>Kay, Guy Gavriel</author>
         <title yearPublished=1990>Tigana</title>
   </book>
   <book>
         <author>Bujold, Lois McMasters</author>
         <title yearPublished=1986>The Warrior's Apprentice</title>
   </book>
</purchases>

Use this search to return the path for the book and the year it was published.

... | spath output=dates path=purchases.book.title{@yearPublished} | table dates

 

https://docs.splunk.com/Documentation/SplunkCloud/latest/SearchReference/Spath

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...