Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Help me extract this data and create a table.

ekucevic
Loves-to-Learn Everything
‎11-19-2021 11:16 AM

I have a log sample: 

| LRU Config Message from RMQ: {"endpoint":"lru/ config", "data":{"timestamp":1637322539.953,"version":"1","aircraftTailId":"N123JB",[{"lruComponent":"Modem","lruHwPartNumber":"123456","lruHwSerialNumber":"C82821190191","lruRevisionNumber":"004","lruMacAddress":true}, {"lruComponent":"Server","lruHwPartNumber":"1244632","lruHwSerialNumber":"F39718480040","lruRevisionNumber":"004","lruMacAddress":null},

What i want to do is extract the date and create a table based on the color i highlighted above. 

lruComponent  |  lruHwPartNumber | 

Modem                   123456

Labels (2)
Labels
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-19-2021 12:37 PM

See if this sample query helps.  It uses rex to extract the field values, mvzip to pair component with part number, then splits them back out for display.

| makeresults | eval _raw="LRU Config Message from RMQ: {\"endpoint\":\"lru/ config\", \"data\":{\"timestamp\":1637322539.953,\"version\":\"1\",\"aircraftTailId\":\"N123JB\",[{\"lruComponent\":\"Modem\",\"lruHwPartNumber\":\"123456\",\"lruHwSerialNumber\":\"C82821190191\",\"lruRevisionNumber\":\"004\",\"lruMacAddress\":true}, {\"lruComponent\":\"Server\",\"lruHwPartNumber\":\"1244632\",\"lruHwSerialNumber\":\"F39718480040\",\"lruRevisionNumber\":\"004\",\"lruMacAddress\":null},"
```The above is just for testing```
| rex max_match=0 "lruComponent\\\":\\\"(?<lruComponent>[^\\\"]+)\\\",\\\"lruHwPartNumber\\\":\\\"(?<lruHwPartNumber>[^\\\"]+)"
| eval compNum=mvzip(lruComponent,lruHwPartNumber,",")
| mvexpand compNum
| eval compNum=split(compNum,",")
| eval lruComponent=mvindex(compNum,0), lruHwPartNumber=mvindex(compNum,1)
| table lruComponent lruHwPartNumber

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekucevic
Loves-to-Learn Everything
‎11-21-2021 07:14 AM

This is exactly what i was looking for. Really appreciate it. 

One more thing, i want to add in 3rd column, "lruHwSerialNumber" and also these "lruHwSerialNumber"s  change over time. When i add in the serial number column will "Dedup _lruHwSerialNumber" work?

 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-21-2021 11:08 AM

You can add a 3rd column, just be aware the mvzip function only accepts two arguments.  You can, however, nest mvzip calls.  See https://docs.splunk.com/Documentation/Splunk/8.2.3/SearchReference/MultivalueEvalFunctions#Extended_... for an example of that.

Dedup should work, but I'd have to know more about how you plan to use to say for sure.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekucevic
Loves-to-Learn Everything
‎11-22-2021 06:36 AM

Lets say i dont want to add in a 3rd field, I find that when i just change one of the components of your solution from "lruHwPartNumber" to "lruHwSerialNumber" it doesnt give me any results. 

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-22-2021 06:57 AM

Substituting random fields won't work if the new field is not extracted.  Try this query.

| makeresults | eval _raw="LRU Config Message from RMQ: {\"endpoint\":\"lru/ config\", \"data\":{\"timestamp\":1637322539.953,\"version\":\"1\",\"aircraftTailId\":\"N123JB\",[{\"lruComponent\":\"Modem\",\"lruHwPartNumber\":\"123456\",\"lruHwSerialNumber\":\"C82821190191\",\"lruRevisionNumber\":\"004\",\"lruMacAddress\":true}, {\"lruComponent\":\"Server\",\"lruHwPartNumber\":\"1244632\",\"lruHwSerialNumber\":\"F39718480040\",\"lruRevisionNumber\":\"004\",\"lruMacAddress\":null},"
```The above is just for testing```
| rex max_match=0 "lruComponent\\\":\\\"(?<lruComponent>[^\\\"]+)\\\",\\\"lruHwPartNumber\\\":\\\"(?<lruHwPartNumber>[^\\\"]+)\\\",\\\"lruHwSerialNumber\\\":\\\"(?<lruHwSerialNumber>[^\\\"]+)"
| eval compNum=mvzip(lruComponent,lruHwSerialNumber,",")
| mvexpand compNum
| eval compNum=split(compNum,",")
| eval lruComponent=mvindex(compNum,0), lruHwSerialNumber=mvindex(compNum,1)
| table lruComponent lruHwSerialNumber
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

ekucevic
Loves-to-Learn Everything
‎11-23-2021 12:05 PM

I am going to accept this solution. Really appreciate your help. 

One thing i noticed is these are periodic logs and usually the serial numbers can change. I added dedup lruHwSerialNumber thinking it would pull the different serial based on the time frame i know it changed but it doesnt seem to pull it. 

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...