Re: How do I edit my search to convert extracted f...

tihhoni · ‎06-14-2016

Hi,

I have recently started using json log lines which works great with Splunk. There is one issue, however, which I cannot resolve at the moment.
The idea is to construct the original request out of json object

I have a field with structure:
req.args.paramA = value1
req.args.paramB = value2
req.args.paramC = value3

What I want to have in the end is a string:

paramA=value1&paramB=value2&paramC=value3

By design, I don't know param real names. Those can be changed, depending on what user submitted.
I tried using (as a test):

eval params= ""| foreach req.args.* [eval params=params + <>]

Gave me only Splunk errors...

Thanks

somesoni2 · ‎06-14-2016

Give this a try

your current search | eval params="" | foreach req.args.* [eval params=params."<<FIELD>>=".'<<FIELD>>'."&" ]

tihhoni · ‎06-20-2016

Thanks. As i wrote i tried it, and it did not work. The problem was with wrong types. Had to use casting tostring

foreach req.args.* [eval params=params."<<FIELD>>=".tostring('<<FIELD>>')."&"]

Now i seems to almost get what i want. The problem is that keys now have full name and some params appear as null if those are missing on other events:

req.args.paramA=value1&req.args.paramB=value2&req.args.paramC=null

somesoni2 · ‎06-20-2016

You can use fillnull command to update those null values to something default. like this

your current search | eval params="" | fillnull value="NA" req.args.* | foreach req.args.* [eval params=params."<<FIELD>>=".tostring('<<FIELD>>')."&"]

How do I edit my search to convert extracted field value pairs into a string?

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud