I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array):
{
"_links" : {
"self" : {"href" : "/mgmt/status/default/ObjectStatus"},
"doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}},
"ObjectStatus" : [{
"Class" : "DNSNameService",
"OpState" : "up",
"AdminState" : "enabled",
"Name" : "dns",
"EventCode" : "0x00000000",
"ErrorCode" : "",
"ConfigState" : "saved"}, {
"Class" : "CRLFetch",
"OpState" : "down",
"AdminState" : "enabled",
"Name" : "crl",
"EventCode" : "0x00360010",
"ErrorCode" : "No CRLs configured",
"ConfigState" : "saved"}, {
"Class" : "Statistics",
"OpState" : "up",
"AdminState" : "enabled",
"Name" : "statistics",
"EventCode" : "0x00000000",
"ErrorCode" : "",
"ConfigState" : "saved"}]}
I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers):
[dp_json]
INDEXED_EXTRACTIONS = json
KV_MODE = none
Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values):
ObjectStatus{}.AdminState
ObjectStatus{}.Class
ObjectStatus{}.ConfigState
ObjectStatus{}.ErrorCode
ObjectStatus{}.EventCode
ObjectStatus{}.Name
ObjectStatus{}.OpState
Here's my dilemma. I would like to identify objects in a particular state. For example: I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this...
sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState"
...but this returns every Class from each event, regardless of OpState being "up" or "down".
What adjustments are required in order to get the output I'm looking for?
@beetlegeuse , your query looks correct , but have you tried with "ObjectStatus{}.OpState"="*down*"
to rule any possibility of spaces in the value.
index=_internal | head 1| fields _raw
| eval _raw="{\"_links\":{\"self\":{\"href\":\"/mgmt/status/default/ObjectStatus\"},\"doc\":{\"href\":\"/mgmt/docs/status/ObjectStatus\"}},\"ObjectStatus\":[{\"Class\":\"DNSNameService\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"dns\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"},{\"Class\":\"CRLFetch\",\"OpState\":\"down\",\"AdminState\":\"enabled\",\"Name\":\"crl\",\"EventCode\":\"0x00360010\",\"ErrorCode\":\"No CRLs configured\",\"ConfigState\":\"saved\"},{\"Class\":\"Statistics\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"statistics\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"}]}"
| spath ObjectStatus{} output=ObjectStatus
| spath
| stats values(links.*) as * by ObjectStatus
| spath input=ObjectStatus
| fields - ObjectStatus
| search OpState=down