Splunk Search

Extracting fields within nested json data

Pr1
New Member

Hi,

I am new to splunk development .Please provide your assistance for creating a search  . Thanks advance.

Trying to create a report where I need to fetch the requestId, propositions id based on odds and accountno. Attached a sample event where multiple requests are in a single event which comes as a combined event to splunk . I have used a query like below, but it displays all the propositions to all requests,odds combination. I want to display the propositionid  only related to a particular request id and odds. attaching a sample for reference

 

index=abc source="data.log" "Response.errors{}.message"="cobination" | spath "Response.errors{}.code" | search "Response.errors{}.code"=COMBINATION | spath "Response.b{}.legs{}.propositions{}.propositionId"| spath "Response.b{}.legs{}.odds"|rename "Response.b{}.legs{}.odds" as Odds | spath "accountDetails.accountNumber"|dedup "accountDetails.accountNumber" |rename "accountDetails.accountNumber" as AccountNumber | spath "Response.b{}.requestId" |
stats values("Response.error{}.code") as ErrorCode ,values("Response.b{}.legs{}.propositions{}.propositionId") as PropositionId by AccountNumber,Odds,RequestId,_time

 

Labels (2)
0 Karma

Pr1
New Member

 Thanks for quick turnaround.

 expecting the results for the account like below:

requestId OddsOddspropositionid
01261.756768
  2.756685
  1.856770
  3.56710
  4.256716
1711.756683
  3.756692
  1.856705
  4.256716
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Please provide some sample (anonymised), representative raw events in a code block (this helps with understanding your data and allows us to set up tests of solutions to your question).

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Please don't call out people by name. If they have spare time they'll probably help you. If they don't they won't. And calling them out explicitly can make them less likely to want to help you actually.

2. It's a bit confusing - what does your single event look like? Please post a full event sample (preferably in a code block).

3. If I understand correctly, you have an array within your json structure and the fields of separate structures within your array get "squished" so you can't correlate between values in those fields, right? Typically for that you need to extract the array field as a whole to a multivalued field, then split the event on that field to multiple ones and then parse the json further. Like

| spath path="propositions"
| mvexpand propositions
| spath input=propositions

It's gonna be more complicated if you have several arrays in a single event and you have to "split" them all this way and correlate. That's more of a case of badly formatted data.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

To expand on @PickleRick point 1, you may actually get a double negative effect - those you call out may be less likely to responds to specific demands on their time, and those you don't call out may think you don't value their contributions (as much), so why should they bother?

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...