Splunk ITSI

Extract data of Trained Models from Nested Json

Path Finder

SPL Query:

| getservice 
| search algorithms=*itsi_predict_*


I want to extract the algorithms and then outputlookup the model_id of the model where recommended:True



Please suggest how do I do thiS?




Labels (1)
0 Karma
1 Solution

Path Finder

If the values you need are service info fields you could use a search like this to find them just

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id

View solution in original post

Path Finder

If the values you need are service info fields you could use a search like this to find them just

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id


Given that this looks like JSON, you could uses either spath or the json functions (new to 9.x)

Get Updates on the Splunk Community!

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...

Splunk AppDynamics with Cisco Secure Application

Web applications unfortunately present a target rich environment for security vulnerabilities and attacks. ...