Splunk Search

How to search indexed JSON array output for objects that match a distinct name/value pair

beetlegeuse
Path Finder

I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array):

{

"_links" : {

"self" : {"href" : "/mgmt/status/default/ObjectStatus"},

"doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}},

"ObjectStatus" : [{

"Class" : "DNSNameService",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "dns",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}, {

"Class" : "CRLFetch",

"OpState" : "down",

"AdminState" : "enabled",

"Name" : "crl",

"EventCode" : "0x00360010",

"ErrorCode" : "No CRLs configured",

"ConfigState" : "saved"}, {

"Class" : "Statistics",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "statistics",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}]}

 

I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers):

    [dp_json]
    INDEXED_EXTRACTIONS = json
    KV_MODE = none

Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values):

    ObjectStatus{}.AdminState

    ObjectStatus{}.Class

    ObjectStatus{}.ConfigState

    ObjectStatus{}.ErrorCode

    ObjectStatus{}.EventCode

    ObjectStatus{}.Name

    ObjectStatus{}.OpState

Here's my dilemma. I would like to identify objects in a particular state. For example:  I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this...

    sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState"

...but this returns every Class from each event, regardless of OpState being "up" or "down".

What adjustments are required in order to get the output I'm looking for?

Labels (1)
0 Karma

Nisha18789
Builder

@beetlegeuse , your query looks correct , but have you tried with "ObjectStatus{}.OpState"="*down*"  

to rule any possibility of spaces in the value.

 

 

0 Karma

to4kawa
Ultra Champion
index=_internal | head 1| fields _raw
| eval _raw="{\"_links\":{\"self\":{\"href\":\"/mgmt/status/default/ObjectStatus\"},\"doc\":{\"href\":\"/mgmt/docs/status/ObjectStatus\"}},\"ObjectStatus\":[{\"Class\":\"DNSNameService\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"dns\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"},{\"Class\":\"CRLFetch\",\"OpState\":\"down\",\"AdminState\":\"enabled\",\"Name\":\"crl\",\"EventCode\":\"0x00360010\",\"ErrorCode\":\"No CRLs configured\",\"ConfigState\":\"saved\"},{\"Class\":\"Statistics\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"statistics\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"}]}"
| spath ObjectStatus{} output=ObjectStatus
| spath
| stats values(links.*) as * by ObjectStatus
| spath input=ObjectStatus
| fields - ObjectStatus
| search OpState=down
0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...