Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn off parsing windows event json fields

angshul
Path Finder
‎10-31-2019 01:56 PM

I am using Splunk universal forwarder to forward events from windows event log to Splunk.
The event has data in JSON format which gets posted in Splunk as Message= e.g.

LogName=CustomLog
SourceName=ECEventLogProvider
EventCode=256
EventType=4
Type=Information
ComputerName=CHECHI12
TaskCategory=Network Events
OpCode=None
RecordNumber=133
Keywords=Classic
Message={
    "description" : "SSample text",
    "event_id" : "47",
    "id" : "22",
    "logtype" : "Error",
    "msgnum" : "0",
    "severity" : "Reserved",
    "source" : "Sample source",
    "status" : "New",
    "system_state" : "S4/S5",
    "timestamp" : "00-01-01 00:00:00",
    "timestamp_accuracy" : "Approximate"
}

I am thinking of parsing the json referred by Message in search query by using spath:

"logname=customlog" | spath input=Message| timechart count by event_id

The above search results in duplicate event_id values (e.g. "\"35\",", 35, "\"47\",", 47 etc.) since Splunk by default parses the data and spath parses it again.
How can I discard the Splunk parsed data and only get stats for the parsing specified in search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

angshul
Path Finder
‎11-04-2019 12:10 PM

but this causes the problem I mentioned above (duplicate events)

I ended up doing following:

  • "logname=customlog" | fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message | spath input=Message output=EventMessage path=Message | spath input=Message output=Description path=description | spath input=Message output=event_id path=event_id | spath input=Message output=timestamp path=timestamp | spath input=Message output=source path=source | eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | timechart count by event_id

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

angshul
Path Finder
‎11-04-2019 12:10 PM

but this causes the problem I mentioned above (duplicate events)

I ended up doing following:

  • "logname=customlog" | fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message | spath input=Message output=EventMessage path=Message | spath input=Message output=Description path=description | spath input=Message output=event_id path=event_id | spath input=Message output=timestamp path=timestamp | spath input=Message output=source path=source | eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | timechart count by event_id

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-09-2019 04:19 PM

OK, come on back and click Accept on your answer to close the question.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-31-2019 02:21 PM

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog"
| spath input=Message
| timechart count(SomeFieldNameThatIsOnlyCreatedBySpathHere) BY event_id
0 Karma
Reply
Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!