Splunk ITSI
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Extract data of Trained Models from Nested Json

krutika_ag
Path Finder
‎05-16-2024 02:52 AM

SPL Query:

| getservice 
| search algorithms=*itsi_predict_*

krutika_ag_0-1715852580919.jpeg

I want to extract the algorithms and then outputlookup the model_id of the model where recommended:True

 krutika_ag_1-1715852683585.png

 

Please suggest how do I do thiS?

 

 

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

proyleJDS
Path Finder
‎08-05-2024 02:53 PM

If the values you need are service info fields you could use a search like this to find them just

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id

View solution in original post

Reply
Solved! Jump to solution
Solution

proyleJDS
Path Finder
‎08-05-2024 02:53 PM

If the values you need are service info fields you could use a search like this to find them just

  • Replace <service_title> with the services you want to clone
  • Replace <info_field> with any service info fields you need to use
| getservice 
| search title IN ("<service_title>*","<service_title>*") 
| fillnull value="none" services_depends_on base_service_template_id 
| fields title services_depends_on base_service_template_id 
| rex field=services_depends_on "serviceid=(?<serviceid>.*)~~~" 
| fillnull value="none" serviceid 
| mvexpand serviceid 
| join type=outer serviceid 
    [| `service_kpi_list` 
    | fields serviceid service_name] 
| stats list(service_name) as dependent_services by title base_service_template_id 
| eval dependent_services=mvjoin(dependent_services, ",") 
| rename title as service_name base_service_template_id as template_id 
| join type=outer template_id 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/base_service_template report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        template_id=spath(value, "_key"),
        template_name=spath(value, "title") 
    | fields template_id template_name] 
| join type=outer service_name 
    [| inputlookup itsi_entities 
    | fields services._key title 
    | rename services._key as services title as host 
    | mvexpand services 
    | lookup service_kpi_lookup _key as services 
    | stats list(host) as host by title 
    | eval host=mvjoin(host, ",") 
    | rename title as service_name] 
| makemv delim="," host 
| mvexpand host 
| join type=outer host 
    [| rest splunk_server=local /servicesNS/nobody/SA-ITOA/itoa_interface/entity report_as=text 
    | eval value=spath(value,"{}") 
    | mvexpand value 
    | eval info_fields=spath(value,"informational.fields{}"),
        entity_id=spath(value, "_key"),
        entity_title=spath(value, "title"),
        entity_name=spath(value, "identifying_name") 
    | appendpipe 
        [| where isnull(field_type) 
        | mvexpand info_fields 
        | eval field_value = spath(value,info_fields."{}"), field_type="info" 
        | rename info_fields as field_name
            ] 
    | where field_name IN ("<info_field>","<info_field>","<info_field>","<info_field>") 
    | stats list(field_value) as field_value by field_name entity_name 
    | eval field_value=mvjoin(field_value,",") 
    | eval {field_name}=field_value 
    | stats latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> latest(<info_field>) as <info_field> by entity_name 
    | rename entity_name as host] 
| fields - template_id
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-16-2024 03:04 AM

Given that this looks like JSON, you could uses either spath or the json functions (new to 9.x)

Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...
li.common.scroll-to.top