Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to search indexed JSON array output for objects that match a distinct name/value pair

beetlegeuse
Path Finder
‎07-12-2020 09:38 AM

I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array):

{

"_links" : {

"self" : {"href" : "/mgmt/status/default/ObjectStatus"},

"doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}},

"ObjectStatus" : [{

"Class" : "DNSNameService",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "dns",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}, {

"Class" : "CRLFetch",

"OpState" : "down",

"AdminState" : "enabled",

"Name" : "crl",

"EventCode" : "0x00360010",

"ErrorCode" : "No CRLs configured",

"ConfigState" : "saved"}, {

"Class" : "Statistics",

"OpState" : "up",

"AdminState" : "enabled",

"Name" : "statistics",

"EventCode" : "0x00000000",

"ErrorCode" : "",

"ConfigState" : "saved"}]}

 

I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers):

    [dp_json]
    INDEXED_EXTRACTIONS = json
    KV_MODE = none

Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values):

    ObjectStatus{}.AdminState

    ObjectStatus{}.Class

    ObjectStatus{}.ConfigState

    ObjectStatus{}.ErrorCode

    ObjectStatus{}.EventCode

    ObjectStatus{}.Name

    ObjectStatus{}.OpState

Here's my dilemma. I would like to identify objects in a particular state. For example:  I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this...

    sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState"

...but this returns every Class from each event, regardless of OpState being "up" or "down".

What adjustments are required in order to get the output I'm looking for?

Labels (1)
Labels
0 Karma
Reply

Nisha18789
Builder
‎08-19-2020 03:40 AM

@beetlegeuse , your query looks correct , but have you tried with "ObjectStatus{}.OpState"="*down*"  

to rule any possibility of spaces in the value.

 

 

0 Karma
Reply

to4kawa
Ultra Champion
‎08-19-2020 04:09 AM 
index=_internal | head 1| fields _raw
| eval _raw="{\"_links\":{\"self\":{\"href\":\"/mgmt/status/default/ObjectStatus\"},\"doc\":{\"href\":\"/mgmt/docs/status/ObjectStatus\"}},\"ObjectStatus\":[{\"Class\":\"DNSNameService\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"dns\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"},{\"Class\":\"CRLFetch\",\"OpState\":\"down\",\"AdminState\":\"enabled\",\"Name\":\"crl\",\"EventCode\":\"0x00360010\",\"ErrorCode\":\"No CRLs configured\",\"ConfigState\":\"saved\"},{\"Class\":\"Statistics\",\"OpState\":\"up\",\"AdminState\":\"enabled\",\"Name\":\"statistics\",\"EventCode\":\"0x00000000\",\"ErrorCode\":\"\",\"ConfigState\":\"saved\"}]}"
| spath ObjectStatus{} output=ObjectStatus
| spath
| stats values(links.*) as * by ObjectStatus
| spath input=ObjectStatus
| fields - ObjectStatus
| search OpState=down
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...