Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to fillnull json value pair in a subpath ?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emallinger
Communicator
04-16-2021
04:11 AM
Hello,
I'm faced today with something I do not understand.
Here the structure of my event (JSON structured) :
{
dateReponse: 1618309228736
dateRequete: 1618309228622
id: 4572d
reponse: {
dossier: [
{
$c: PERSONNE
$i: 1
$l: 1
dateCreation: 1477036197000
dateModification: 1495047526000
id: 1
}
{
$c: IDENTITE
$i: 2
$l: 1
dateCreation: 1477036197000
dateModification: 1513858108603
nom: NOM1
prenom: prenom1
}
{
$c: IDENTITE
$i: 3
$l: 1
dateCreation: 1479206837000
dateModification: 1513858108603
nom: NOM2
}
]
}
}
I'd like to fillnum the field reponse.dossier{}.prenom with "unknown" when not present.
The content keep being blank.
I tried adding mvexpand and spath (even if it's already json parsed), no luck.
| mvexpand reponse.dossier{}.nom
| spath input=reponse.dossier{}
| fillnull value="unkown" reponse.dossier{}.prenom
I've tried adding a complete new field after reponse.dossier{}.prenom in the fillnull command, it worked just fine for the new field. Still not for my reponse.dossier{}.prenom.
I think I missed something, somewhere.
Any suggestion ?
Thanks in advance,
Ema
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-16-2021
04:53 AM
hi @emallinger,
You need to expand all the child dictionaries in the field dossier. Try this, here the field name will be prenom instead of reponse.dossier{}.prenom.
index=index spurcetype=sourcetype
| rex max_match=0 "(?<event>\{[^\{]+?\})"
| mvexpand event
| spath input=event
| fillnull value="unkown" prenom
If this reply helps you, a like would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emallinger
Communicator
04-16-2021
06:03 AM
Hi !
Thank you very much !
Now I just have to integrate this into my whole request, but it'll be fine .
Regards,
Ema
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
manjunathmeti
Champion
04-16-2021
04:53 AM
hi @emallinger,
You need to expand all the child dictionaries in the field dossier. Try this, here the field name will be prenom instead of reponse.dossier{}.prenom.
index=index spurcetype=sourcetype
| rex max_match=0 "(?<event>\{[^\{]+?\})"
| mvexpand event
| spath input=event
| fillnull value="unkown" prenom
If this reply helps you, a like would be appreciated.
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
