Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to return value from specific key within an object?

bmohammadi
Explorer
‎08-11-2022 05:01 AM

Dear Community,

I am new to Splunk so apologies for the newbie question:

Basic Problem

I have a field which holds an Object and I am having difficulties retrieving a value from a specific key within this object.

Purpose

I am running a search and I want to retrieve two datetime values from two separate keys within a field, find the difference between these 2 datetime values and finally return a list of events where the difference is less than a particular value.

I know how to return a table of results based on a simple criteria and can perform datetime manipulations, I just cannot retrieve the actual datetime values needed to make the calculation.

*I can successfully store the whole object to a variable using the eval command but cannot extract the value from it.

Assumptions

The thing I am working with is indeed an Object. I.e. a dictionary style list in the following format

{"key1" : "value" , "key2" : "value" , "key2" : "value"}

I am attempting to extract the value using the eval command

 

Any help would be greatly appreciated.

Kind regards,

Ben

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2022 05:09 AM

Use spath - by default spath works on _raw, but you can specify an input field e.g. the field holding your object.

If this isn't enough to go on, perhaps you can provide a bit more detail as to what you are dealing with, e.g. some sample events and which fields you have already extracted from them.

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-11-2022 05:09 AM

Use spath - by default spath works on _raw, but you can specify an input field e.g. the field holding your object.

If this isn't enough to go on, perhaps you can provide a bit more detail as to what you are dealing with, e.g. some sample events and which fields you have already extracted from them.

Reply
Solved! Jump to solution

bmohammadi
Explorer
‎08-11-2022 07:59 AM

Thank you very much ITWhisperer!

I was able to achieve what I wanted using the following syntax based on you recommendation:

| eval myVariable=spath(fieldName, "Key2")

0 Karma
Reply
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...