Hi,
I am new to splunk development .Please provide your assistance for creating a search . Thanks advance.
Trying to create a report where I need to fetch the requestId, propositions id based on odds and accountno. Attached a sample event where multiple requests are in a single event which comes as a combined event to splunk . I have used a query like below, but it displays all the propositions to all requests,odds combination. I want to display the propositionid only related to a particular request id and odds. attaching a sample for reference
index=abc source="data.log" "Response.errors{}.message"="cobination" | spath "Response.errors{}.code" | search "Response.errors{}.code"=COMBINATION | spath "Response.b{}.legs{}.propositions{}.propositionId"| spath "Response.b{}.legs{}.odds"|rename "Response.b{}.legs{}.odds" as Odds | spath "accountDetails.accountNumber"|dedup "accountDetails.accountNumber" |rename "accountDetails.accountNumber" as AccountNumber | spath "Response.b{}.requestId" |
stats values("Response.error{}.code") as ErrorCode ,values("Response.b{}.legs{}.propositions{}.propositionId") as PropositionId by AccountNumber,Odds,RequestId,_time
Thanks for quick turnaround.
expecting the results for the account like below:
requestId | Odds | Odds | propositionid |
0 | 126 | 1.75 | 6768 |
2.75 | 6685 | ||
1.85 | 6770 | ||
3.5 | 6710 | ||
4.25 | 6716 | ||
1 | 71 | 1.75 | 6683 |
3.75 | 6692 | ||
1.85 | 6705 | ||
4.25 | 6716 |
Please provide some sample (anonymised), representative raw events in a code block (this helps with understanding your data and allows us to set up tests of solutions to your question).
1. Please don't call out people by name. If they have spare time they'll probably help you. If they don't they won't. And calling them out explicitly can make them less likely to want to help you actually.
2. It's a bit confusing - what does your single event look like? Please post a full event sample (preferably in a code block).
3. If I understand correctly, you have an array within your json structure and the fields of separate structures within your array get "squished" so you can't correlate between values in those fields, right? Typically for that you need to extract the array field as a whole to a multivalued field, then split the event on that field to multiple ones and then parse the json further. Like
| spath path="propositions"
| mvexpand propositions
| spath input=propositions
It's gonna be more complicated if you have several arrays in a single event and you have to "split" them all this way and correlate. That's more of a case of badly formatted data.
To expand on @PickleRick point 1, you may actually get a double negative effect - those you call out may be less likely to responds to specific demands on their time, and those you don't call out may think you don't value their contributions (as much), so why should they bother?