Splunk Search

How to search indexed JSON array output for objects that match a distinct name/value pair

Path Finder

I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array):


"_links" : {

"self" : {"href" : "/mgmt/status/default/ObjectStatus"},

"doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}},

"ObjectStatus" : [{

"Class" : "DNSNameService",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "dns",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}, {

"Class" : "CRLFetch",

"OpState" : "down",

"AdminState" : "enabled",

"Name" : "crl",

"EventCode" : "0x00360010",

"ErrorCode" : "No CRLs configured",

"ConfigState" : "saved"}, {

"Class" : "Statistics",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "statistics",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}]}


I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers):

    KV_MODE = none

Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values):








Here's my dilemma. I would like to identify objects in a particular state. For example:  I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this...

    sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState"

...but this returns every Class from each event, regardless of OpState being "up" or "down".

What adjustments are required in order to get the output I'm looking for?

Labels (1)
0 Karma


@beetlegeuse , your query looks correct , but have you tried with "ObjectStatus{}.OpState"="*down*"  

to rule any possibility of spaces in the value.



0 Karma

Ultra Champion
index=_internal | head 1| fields _raw
| eval _raw="{\"_links\":{\"self\":{\"href\":\"/mgmt/status/default/ObjectStatus\"},\"doc\":{\"href\":\"/mgmt/docs/status/ObjectStatus\"}},\"ObjectStatus\":[{\"Class\":\"DNSNameService\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"dns\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"},{\"Class\":\"CRLFetch\",\"OpState\":\"down\",\"AdminState\":\"enabled\",\"Name\":\"crl\",\"EventCode\":\"0x00360010\",\"ErrorCode\":\"No CRLs configured\",\"ConfigState\":\"saved\"},{\"Class\":\"Statistics\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"statistics\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"}]}"
| spath ObjectStatus{} output=ObjectStatus
| spath
| stats values(links.*) as * by ObjectStatus
| spath input=ObjectStatus
| fields - ObjectStatus
| search OpState=down
0 Karma
Get Updates on the Splunk Community!

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...

Admin Your Splunk Cloud, Your Way

Join us to maximize different techniques to best tune Splunk Cloud. In this Tech Enablement, you will get ...