Splunk ITSI

Extract data of Trained Models from Nested Json

krutika_ag
Path Finder

SPL Query:

| getservice 
| search algorithms=*itsi_predict_*

krutika_ag_0-1715852580919.jpeg

I want to extract the algorithms and then outputlookup the model_id of the model where recommended:True

 krutika_ag_1-1715852683585.png

 

Please suggest how do I do thiS?

 

 

 

Labels (1)
0 Karma
1 Solution

proyleJDS
Path Finder

If the values you need are service info fields you could use a search like this to find them just

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id

View solution in original post

proyleJDS
Path Finder

If the values you need are service info fields you could use a search like this to find them just

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id

ITWhisperer
SplunkTrust
SplunkTrust

Given that this looks like JSON, you could uses either spath or the json functions (new to 9.x)

Get Updates on the Splunk Community!

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

❄️ Celebrate the season with our December lineup of Community Office Hours, Tech Talks, and Webinars! ...

Splunk and Fraud

Watch Now!Watch an insightful webinar where we delve into the innovative approaches to solving fraud using the ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...