Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract a field out of JSON, and then use to get a count

chktlm
New Member
‎11-20-2019 09:39 AM

Hi. I am trying to get a count on the first field within my logs, of the requestBody json input. Below is an example of the log:

2019-11-20 17:20:03,802 INFO  [qqq1000000-10000] web.service.logging.IncomingRequest: ip=00.00.00.000, domain=http://url:0000/webService/web/Service/, username=null, date=[20/Nov/2019:17-20-03,802 +0000], method=POST uri=/webService/web/Service?schema=1.0&form=JSON&httpError=true&cid=12345, status=200, contentLength=68, responseTime=190, userAgent=WebServiceClient<Service> 3.5, referrer=, cacheStatus=miss, cid=12345 requestBody={"createPerson":{"customerId":"55555555.customer"}}, x-accountexternalid=987654321, api=service.create, x-partner=Partner, cid=12345

How would I grab the first entry in the JSON of the requestBody element, and then make that a field, so I can get a count. From the example above, I would want to grab createPerson from the requestBody section. Make this a field so I can then grab a count of the incoming requestBody first element? There would be other fields besides just createPerson. So I just want to extract that field within the quote, and get the count for each different element that is in that position of our incoming requests.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎11-20-2019 10:18 AM

try this:

...| rex "requestBody=\{\"(?<requestBody>\w+)" | stats count by requestBody

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎11-20-2019 10:18 AM

try this:

...| rex "requestBody=\{\"(?<requestBody>\w+)" | stats count by requestBody
0 Karma
Reply
Solved! Jump to solution

chktlm
New Member
‎11-25-2019 06:40 AM

Thank you very much mayurr98. Worked perfectly!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...