Splunk Search

How do I edit my search to convert extracted field value pairs into a string?

tihhoni
New Member

Hi,

I have recently started using json log lines which works great with Splunk. There is one issue, however, which I cannot resolve at the moment.
The idea is to construct the original request out of json object

I have a field with structure:
req.args.paramA = value1
req.args.paramB = value2
req.args.paramC = value3

What I want to have in the end is a string:

paramA=value1&paramB=value2&paramC=value3

By design, I don't know param real names. Those can be changed, depending on what user submitted.
I tried using (as a test):

eval params= ""| foreach req.args.* [eval params=params + <>]

Gave me only Splunk errors...

Thanks

0 Karma

somesoni2
Revered Legend

Give this a try

your current search | eval params="" | foreach req.args.* [eval params=params."<<FIELD>>=".'<<FIELD>>'."&" ]
0 Karma

tihhoni
New Member

Thanks. As i wrote i tried it, and it did not work. The problem was with wrong types. Had to use casting tostring

foreach req.args.* [eval params=params."<<FIELD>>=".tostring('<<FIELD>>')."&"]

Now i seems to almost get what i want. The problem is that keys now have full name and some params appear as null if those are missing on other events:

req.args.paramA=value1&req.args.paramB=value2&req.args.paramC=null

0 Karma

somesoni2
Revered Legend

You can use fillnull command to update those null values to something default. like this

your current search | eval params="" | fillnull value="NA" req.args.* | foreach req.args.* [eval params=params."<<FIELD>>=".tostring('<<FIELD>>')."&"]
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...