Solved: Extract data of Trained Models from Nested Json

krutika_ag · ‎05-16-2024

SPL Query:

| getservice 
| search algorithms=*itsi_predict_*

I want to extract the algorithms and then outputlookup the model_id of the model where recommended:True

Please suggest how do I do thiS?

proyleJDS · ‎08-05-2024

If the values you need are service info fields you could use a search like this to find them just

Replace <service_title> with the services you want to clone
Replace <info_field> with any service info fields you need to use

| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id

View solution in original post

proyleJDS · ‎08-05-2024

If the values you need are service info fields you could use a search like this to find them just

Replace <service_title> with the services you want to clone
Replace <info_field> with any service info fields you need to use

| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id

ITWhisperer · ‎05-16-2024

Given that this looks like JSON, you could uses either spath or the json functions (new to 9.x)

Extract data of Trained Models from Nested Json

using ITSI

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

How to Monitor Google Kubernetes Engine (GKE)

Index This | How can you make 45 using only 4?