Splunk Search

How to display a table with status reason and count of different status reasons like "NO_ID_UPLOADED", "FRAUD_ID"?

shashaikhhh
Explorer

Hi,
This is splunk query and it returns nested JSON object 

Query:
sourcetype=_json_fluentd source="***" | search message="SQS Result Data" "FAIL"

Response:

{ [-]
   additional: { [-]
     Messages: [ [-]
       { [-]
         Body{ "clientName" : "mpc", "tenantId" : "assd", "mid" : "asd-bhn", "userId" : "112778", "transactionReferenceId" : "trans1223", "verificationResult" : "FAIL", "verificationResultTimestamp" : "2022-05-19T05:44:24.090Z", "statusReason" : "NO_ID_UPLOADED" }
     ]

   }

   levelinfo
   messageSQS Result Data

}

I want to display a table with status reason and count of different status reasons like "NO_ID_UPLOADED", "FRAUD_ID".
Please share your answers.

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust
| spath
| spath input=additional.Messages{}.Body
| stats count by statusReason

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust
| stats count by additional.Messages{}.Body.statusReason

If this doesn't work, please share some sample raw events (i.e. not formatted) in a code block preferably

0 Karma

shashaikhhh
Explorer

shashaikhhh_0-1652952401512.png

Tried, not working.
Please find the raw events data

{"sessionId":"cl3cmekh8nvgbaxf1bm",

"requestId":"cleh8nv1526885k",

"additional"{"ResponseMetadata":

{"RequestId":"ffcdff50-d-a5af2808ad5c"},"Messages":[

{"MessageId":"bf-f7ec-4a45-a546-08a2d6e4",

"Body":"{\n \"clientName\" : \"mpc\",\n \"tenantId\" : \"9TQ389G0BZH3XSHK57Y88Z1H5M\",\n \"mid\" : \"60300004707-bhn\",\n \"userId\" : \"1432778\",\n \"transactionReferenceId\" : \"ACBJBG91X2N8TT591A3DJYXGR0\",\n \"verificationResult\" : \"FAIL\",\n \"verificationResultTimestamp\" : \"2022-05-19T05:44:24.090Z\",\n \"statusReason\" : \"NO_ID_UPLOADED\"\n}"}

]

},"level":"info","message":"SQS Result Data","platform":"HI-Marketplace","project":"YourCardHub","instance_id":"i-05e770b3db412","index":"bhn_apps","host":"production-HI-Marketplace-YourCardHub-cirr"}

Tags (3)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| spath
| spath input=additional.Messages{}.Body
| stats count by statusReason

shashaikhhh
Explorer

What a legend! thank you!

0 Karma
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...