Splunk Search

How to get spath to auto_extract the fields

riotto
Path Finder

I have events that will be indexed that will look like the below:

2019-06-06 21:12:40.397 { "response": "NodeJST5109TIJPMCACS0700099901DIGITALFUSANodeJST5109ACEQ1TU1", "elapsedTime": 347 }

I would like to extract the elapsedTime field where it is greater than 5000
I cannot seem to get spath to auto_extract the fields so that I can get the events ...where elapsedTime > 5000

This should be straightforward, but I cannot get it to work...any help will be appreciated

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@riotto

Your events having a mixture of text & JSON. SO we have to extract a field from that JSON part. Can you please try this?

YOUR_SEARCH | rex field=_raw "(?<json_data>\{.+\})" 
| eval _raw=json_data 
| kv | where elapsedTime > 5000 | table elapsedTime

My Sample Search:

| makeresults 
| eval _raw="2019-06-06 21:12:40.397 { \"response\": \"NodeJST5109TIJPMCACS0700099901DIGITALFUSANodeJST5109ACEQ1TU1\", \"elapsedTime\": 347 }" 
| append [ | makeresults | eval _raw="2019-06-06 21:12:40.397 { \"response\": \"NodeJST5109TIJPMCACS0700099901DIGITALFUSANodeJST5109ACEQ1TU1\", \"elapsedTime\": 5347 }" ]
| rex field=_raw "(?<json_data>\{.+\})" 
| eval _raw=json_data 
| kv | where elapsedTime > 5000 | table elapsedTime

Thanks

0 Karma

badarsebard
Communicator

The spath command works on an input field, _raw by default. You'll need to have your JSON object extracted to a field you can reference via spath input=<fieldname>.

Alternatively, if you have access to the application change the log format to be something friendlier.

0 Karma

riotto
Path Finder

Do you have an example I can try for the above event? I can't seem to get something right on it...

0 Karma
Get Updates on the Splunk Community!

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...

Security Highlights | January 2023 Newsletter

January 2023 Splunk Security Essentials (SSE) 3.7.0 ReleaseThe free Splunk Security Essentials (SSE) 3.7.0 app ...