Splunk Search

Field extraction

marina_rovira
Contributor

Hello all,

I'm having issues achieving to extract fields from a sample in Splunk.

I went to "extract fields", I have the first one, but I don't know how to continue.

Here the sample:

 

[{"Type":"Attention","ABUSE":18,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":17,"Total":36},{"Type":"Active","ABUSE":0,"GSD 24x7":22,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":2,"Total":80},{"Type":"Total","ABUSE":18,"GSD 24x7":23,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":19,"Total":116},{"Type":"P1","ABUSE":0,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":6,"Total":6},{"Type":"P2","ABUSE":0,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":10,"Total":11},{"Type":"P3\/4","ABUSE":18,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":1,"Total":19}]

 

 

From that, I would like to be able to calculate averages and sums up from the number, having two fields:

- Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...

- Type: Attention, Active...

 

with this in the search

 

| rex max_match=0 "(?<Type>((\.*:\")\w+))"|

 

I got the Type, but no idea on how to proceed.

 

Any ideas?

Thank you all in advance.

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as your data seems to be valid JSON it's easiest to handle that way.

index=_internal | head 1
| eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]"
| rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx"
| spath
| rename {}.* as json_*
| table json_*

Unfortunately I'm not getting up what/how you want to calculate those values.

r. Ismo 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as your data seems to be valid JSON it's easiest to handle that way.

index=_internal | head 1
| eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]"
| rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx"
| spath
| rename {}.* as json_*
| table json_*

Unfortunately I'm not getting up what/how you want to calculate those values.

r. Ismo 

0 Karma

marina_rovira
Contributor

Hi,

It's working perfectly, thanks a lot!

What I was thinking to calculate with this.... This numbers are numbers coming before and after every shift. The simplest calculation to do should be to know the difference between the starting and ending shift. However, I've realized that this won't be that easy. Do you have any idea? If not, I will say no possible to do, I've been request this as an improvement but the main thing is working already.

 

Thank you!

0 Karma

isoutamo
SplunkTrust
SplunkTrust
As this is a new requirement, could you create a new question for it wit descriptive title? It’s much easier to found and help other people in community later on.
0 Karma

marina_rovira
Contributor

Hi,

Thanks a lot, it looks like a table now! 🙂

This json gets data every 12 hours. What I pretend to do is to perform some stats about the difference between the one I got the last 12 hours to check difference and how the shifts are performing.

 

Does it makes sense? I was thinking about to send alerts by e-mail with the stats. But not sure about how I can calculate the stats.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Just ensure that you have _time to your data and then it should be work.

r. Ismo

Nisha18789
Builder

hi @marina_rovira , add another rex for extracting team with mutivalues like

Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...

|rex max_match=0 "\"(?<team>.[\w\s]+)\":([0-9]|[0-9]+),"

 

Hope this helps!

Please upvote my response, if it resolves the issue.

 

Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk Life | Splunk is Officially Part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint. Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...