Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to show two json response in single field?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi2809
Builder
04-01-2024
09:50 AM
Hi Guys,
I want to show two field values into single column in a table .query and sample logs given below.
index="mulesoft" applicationName="api" |spath content.payload{}
|mvexpand content.payload{}| transaction correlationId
| rename "content.payload{}.AP Import flow processing results{}.requestID" as RequestID
"content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId content.payload{} as response
| eval OracleRequestId="RequestID: ".RequestID." ImpConReqId: ".ImpConReqId|table response OracleRequestId
Actual Result
| response | OracleRequestId |
| GL Import flow related results : Extract has no GL records to Import into Oracle { "AP Import flow processing results" : [ { "concurBatchId" : "395", "requestID" : "101660728", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "72", "fileName" : "CONCUR_APAC_APINV_1711965640.csv" } ] } | |
| { "AP Import flow processing results" : [ { "concurBatchId" : "393", "requestID" : "101572722", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "66", "fileName" : "CONCUR_APAC_APINV_1711620043.csv" } ] } { "GL Import flow processing results" : [ { "concurBatchId" : "393", "batchId" : "6409", "count" : "5", "impConReqId" : "101572713", "errorMessage" : null, "filename" : "CONCUR_APAC_GLJE_51711620043.csv" } ] } | RequestID: 101572722 ImpConReqId: 101572713 |
Expected Result:
| response | OracleRequestId |
| GL Import flow related results : Extract has no GL records to Import into Oracle { "AP Import flow processing results" : [ { "concurBatchId" : "395", "requestID" : "101660728", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "72", "fileName" : "CONCUR_APAC_APINV_1711965640.csv" } ] } | requestID:101660728 |
| { "AP Import flow processing results" : [ { "concurBatchId" : "393", "requestID" : "101572722", "returnMessage" : null, "returnStatus" : "SUCCESS", "insertCount" : "66", "fileName" : "CONCUR_APAC_APINV_1711620043.csv" } ] } { "GL Import flow processing results" : [ { "concurBatchId" : "393", "batchId" : "6409", "count" : "5", "impConReqId" : "101572713", "errorMessage" : null, "filename" : "CONCUR_APAC_GLJE_51711620043.csv" } ] } | RequestID: 101572722 ImpConReqId: 101572713 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-01-2024
10:27 AM
OracleRequestId is empty because your eval doesn't take into account that ImpConReqId is not present in some of your events - either use fillnull on this field or modify the eval to take care when this field is null
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-01-2024
10:27 AM
OracleRequestId is empty because your eval doesn't take into account that ImpConReqId is not present in some of your events - either use fillnull on this field or modify the eval to take care when this field is null
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi2809
Builder
04-02-2024
03:27 AM
Hi @ITWhisperer
Yes its working i used isnull before the field values its working .But in below senario its not showing any values. Out of three there are two null values in impConReqId.so its not showing any values in table
AP Import flow related results : Extract has no AP records to Import into Oracle
{
"GL Import flow processing results" : [ {
"concurBatchId" : "463",
"batchId" : "6393",
"count" : "1000",
"impConReqId" : null,
"errorMessage" : null,
"filename" : "81711505038.csv"
}, {
"concurBatchId" : "463",
"batchId" : "6393",
"count" : "1000",
"impConReqId" : null,
"errorMessage" : null,
"filename" : "11505038.csv"
}, {
"concurBatchId" : "463",
"batchId" : "6393",
"count" : "1000",
"impConReqId" : null,
"errorMessage" : null,
"filename" : "CONCUR_GLJE_37681711505038.csv"
}, {
"concurBatchId" : "463",
"batchId" : "6393",
"count" : "768",
"impConReqId" : "101539554",
"errorMessage" : null,
"filename" : "711505038.csv"
} ]
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-02-2024
03:31 AM
What is your current search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi2809
Builder
04-02-2024
03:32 AM
index="mulesoft" applicationName="api" |spath content.payload{}
|mvexpand content.payload{}| transaction correlationId
| rename "content.payload{}.AP Import flow processing results{}.requestID" as RequestID
"content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId content.payload{} as response
|eval OracleRequestId="RequestID: ".if(isnull(RequestID),0,RequestID)." ImpConReqId: ".if(isnull(ImpConReqId),0,ImpConReqId)|table OracleRequestId response- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-02-2024
03:35 AM
What is the full search?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
karthi2809
Builder
04-02-2024
03:43 AM
index="mulesoft" applicationName="api" |spath content.payload{}
|mvexpand content.payload{}| transaction correlationId
| rename "content.payload{}.AP Import flow processing results{}.requestID" as RequestID
"content.payload{}.GL Import flow processing results{}.impConReqId" as ImpConReqId content.payload{} as response
|eval OracleRequestId="RequestID: ".if(isnull(RequestID),0,RequestID)." ImpConReqId: ".if(isnull(ImpConReqId),0,ImpConReqId)|table OracleRequestId response- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
04-02-2024
05:41 AM
The fields are probably multivalue fields for some of your transactions which is why the eval is not working. You should probably start again with your events and work out how to break them up into separate parts so that you can create the composite id, in other words, to get where you want to be, don't start from where you are, you need to go back some steps.
Get Updates on the Splunk Community!
Building Reliable Asset and Identity Frameworks in Splunk ES
Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...
Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting
For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...
Automatic Discovery Part 3: Practical Use Cases
If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...
