Splunk Search

Field extraction

marina_rovira
Contributor

Hello all,

I'm having issues achieving to extract fields from a sample in Splunk.

I went to "extract fields", I have the first one, but I don't know how to continue.

Here the sample:

 

[{"Type":"Attention","ABUSE":18,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":17,"Total":36},{"Type":"Active","ABUSE":0,"GSD 24x7":22,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":2,"Total":80},{"Type":"Total","ABUSE":18,"GSD 24x7":23,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":19,"Total":116},{"Type":"P1","ABUSE":0,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":6,"Total":6},{"Type":"P2","ABUSE":0,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":10,"Total":11},{"Type":"P3\/4","ABUSE":18,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":1,"Total":19}]

 

 

From that, I would like to be able to calculate averages and sums up from the number, having two fields:

- Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...

- Type: Attention, Active...

 

with this in the search

 

| rex max_match=0 "(?<Type>((\.*:\")\w+))"|

 

I got the Type, but no idea on how to proceed.

 

Any ideas?

Thank you all in advance.

0 Karma
1 Solution

isoutamo
SplunkTrust
SplunkTrust

Hi

as your data seems to be valid JSON it's easiest to handle that way.

index=_internal | head 1
| eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]"
| rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx"
| spath
| rename {}.* as json_*
| table json_*

Unfortunately I'm not getting up what/how you want to calculate those values.

r. Ismo 

View solution in original post

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Hi

as your data seems to be valid JSON it's easiest to handle that way.

index=_internal | head 1
| eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]"
| rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx"
| spath
| rename {}.* as json_*
| table json_*

Unfortunately I'm not getting up what/how you want to calculate those values.

r. Ismo 

0 Karma

marina_rovira
Contributor

Hi,

It's working perfectly, thanks a lot!

What I was thinking to calculate with this.... This numbers are numbers coming before and after every shift. The simplest calculation to do should be to know the difference between the starting and ending shift. However, I've realized that this won't be that easy. Do you have any idea? If not, I will say no possible to do, I've been request this as an improvement but the main thing is working already.

 

Thank you!

0 Karma

isoutamo
SplunkTrust
SplunkTrust
As this is a new requirement, could you create a new question for it wit descriptive title? It’s much easier to found and help other people in community later on.
0 Karma

marina_rovira
Contributor

Hi,

Thanks a lot, it looks like a table now! 🙂

This json gets data every 12 hours. What I pretend to do is to perform some stats about the difference between the one I got the last 12 hours to check difference and how the shifts are performing.

 

Does it makes sense? I was thinking about to send alerts by e-mail with the stats. But not sure about how I can calculate the stats.

0 Karma

isoutamo
SplunkTrust
SplunkTrust

Just ensure that you have _time to your data and then it should be work.

r. Ismo

Nisha18789
Builder

hi @marina_rovira , add another rex for extracting team with mutivalues like

Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...

|rex max_match=0 "\"(?<team>.[\w\s]+)\":([0-9]|[0-9]+),"

 

Hope this helps!

Please upvote my response, if it resolves the issue.

 

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...