Splunk Search

How to Splunk query to split values of multiple dictionary within a list

vinodkumarK
Explorer

Query is to retrieve failed test case matching with exception message. Out of 6 failed test case, one test as exception and rest of them are skipped with message 'Test was skipped'.

Below data of one event. 

 

 

{
  "suite_build_id": "20241015.12",
  "suite_build_name": "pipeline_name",
  "unit_test_name_failed": [
    {
      "message": "Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance.",
      "test_rail_name": "test_printer_order_placement_magento",
      "test_result": "fail"
    },
    {
      "message": "Test was skipped",
      "test_rail_name": "test_updation_of_access_token",
    },
    {
      "message": "Test was skipped",
      "test_name": "test_printer_and_user_details",
      "test_rail_name": "test_printer_and_user_details",
    }
  ]
}

 

 

 Now, I want to display result to show test_rail_name and exception_message which matches exception.

Below is the query that I tried.

 

 

index="eqt-e2e" suite_build_name="pipeline-name" suite_build_number="20241015.12"
| mvexpand unit_test_name_failed{}.message
| mvexpand unit_test_name_failed{}.test_rail_name
| search unit_test_name_failed{}.message="Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance."
| table suite_build_number, suite_build_start_time, unit_test_name_failed{}.test_rail_name, unit_test_name_failed{}.message
| rename suite_build_number AS "Pipeline Number", suite_build_start_time AS "Pipeline Date", unit_test_name_failed{}.test_rail_name AS "Test Name", unit_test_name_failed{}.message AS "Exception Message"

 

 

In the result, it should have been 1 event, but retrieve 6 events. 

vinodkumarK_0-1728997994812.png

I understand, mvexpand works only on one multivalue fields, and here I have 2 multivalue fields.

Let me know if there is any solution on retrieving the data.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| spath unit_test_name_failed{} output=unit_test_name_failed
| mvexpand unit_test_name_failed
| spath input=unit_test_name_failed
| where message="Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance."
| table message test_rail_name

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

mvexpand on message creates 3 events from one. mvexpand on test_rail_name creates 2 events from each of these - hence 6 events.

| spath unit_test_name_failed{} output=unit_test_name_failed
| mvexpand unit_test_name_failed
| spath input=unit_test_name_failed
| where message="Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance."

 

0 Karma

vinodkumarK
Explorer

Thanks for the response. Appreciate it.

I tried your query,  and it didn't match my result. 

Below is the result of your query.

vinodkumarK_0-1729000113107.png

I want to display a row, with test_rail_name as 'test_printer_order_placement_magento' and message as 'Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance.'

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you get from this

| spath unit_test_name_failed{} output=unit_test_name_failed
| mvexpand unit_test_name_failed
| table unit_test_name_failed
0 Karma

vinodkumarK
Explorer

Here.

vinodkumarK_0-1729001006779.png

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| spath unit_test_name_failed{} output=unit_test_name_failed
| mvexpand unit_test_name_failed
| spath input=unit_test_name_failed
| where message="Failed to save the shipping address. An unexpected error occurred. Please try again later or contact HP Support for assistance."
| table message test_rail_name

vinodkumarK
Explorer

This is how data is shown If I just display the list.

vinodkumarK_0-1728999185529.png

 

0 Karma
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...