Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract integer value in search from string JSON in log event

soshua
New Member
‎02-12-2020 10:11 AM

I am trying to extract 'timeTaken' value from json inside a log event string in order to build a dashboard.

Example log value:

2020-02-12 17:50:15.228  INFO 1 --- [io-8080-exec-45] c.m.v.c.RequestInterceptor         : {"logType":"RESPONSE","traceId":"03927a51-23d6-4530-a0e6-112b6d4b5539","timestamp":"Feb 12, 2020 5:50:15 PM","requestMethod":"GET","requestUrl":"http://my.url","responseStatus":500,"timeTaken":28}

Search example :

index = "my_cluster_name" "kubernetes.labels.app"=my.app | spath log | search log="*"timeTaken"" | rex field=_raw ""timeTaken":(?<timeTaken>.*)}" | timechart span=60s avg(timeTaken)

I also tried:

index = "my_cluster_name" "kubernetes.labels.app"=my.app | spath log | search log="*"timeTaken"" | rex field=_raw "timeTaken\":(?<timeTaken>.*)}" | timechart span=60s avg(timeTaken)

It appears that the value for timeTaken is not populated. I would be grateful for any guidance. Thanks!

0 Karma
Reply

soshua
New Member
‎02-12-2020 01:51 PM

Solution:
index = "my_cluster_name" "kubernetes.labels.app"=my.app | spath log | search log="*"timeTaken"" | rex field=log "(?<time>(?<=timeTaken\":)(.\d?))" | timechart span=60s avg(time) as avgTime

0 Karma
Reply

to4kawa
Ultra Champion
‎02-12-2020 02:13 PM

have you try my answer?

0 Karma
Reply

to4kawa
Ultra Champion
‎02-12-2020 01:33 PM 
index = "my_cluster_name" "kubernetes.labels.app"=my.app "timeTaken"
| rex "timeTaken.*?(?<timeTaken>\d+)" 
| timechart span=60s avg(timeTaken)

spath is not need.

Reply

somesoni2
Revered Legend
‎02-12-2020 11:58 AM

Your log is not in pure json format (some header text are available before json starts). Give this a try (extracting json part and running spath on that)

index = "my_cluster_name" "kubernetes.labels.app"=my.app  | rex "^([^\{]+)(?<jsonpart>.+)" | spath input=jsonpart | timechart span=60s avg(timeTaken)
Reply

soshua
New Member
‎02-12-2020 12:07 PM

Still doesn't work.

timechart span=60s avg(timeTaken) -- is this how I would reference jsonpart.timeTaken?

I tried timechart span=60s avg(timeTaken) as well as timechart span=60s avg(jsonpart.timeTaken)

0 Karma
Reply

Esky73
Builder
‎03-08-2020 07:20 AM

you timechart should work ok on the timeTaken field ?

 | makeresults count=1 
    | eval data="2020-02-12 17:50:15.228  INFO 1 --- [io-8080-exec-45] c.m.v.c.RequestInterceptor         : {\"logType\":\"RESPONS\",\"traceId\":\"03927a51-23d6-4530-a0e6-112b6d4b5539\",\"timestamp\":\"Feb 12, 2020 5:50:15 PM\",\"requestMethod\":\"GET\",\"requestUrl\":\"http://my.url\",\"responseStatus\":500,\"timeTaken\":28}\""
    | rex field=data "^([^{]+)(?P<json>.+})\"$"
    | spath input=json
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM & RUM | Upcoming Planned Maintenance

There will be planned maintenance of the streaming infrastructure for Splunk APM and Splunk RUM in the coming ...

Part 2: Diving Deeper With AIOps

Getting the Most Out of Event Correlation and Alert Storm Detection in Splunk IT Service Intelligence   Watch ...

User Groups | Upcoming Events!

If by chance you weren't already aware, the Splunk Community is host to numerous User Groups, organized ...