Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to turn off parsing windows event json fields

angshul
Path Finder
‎10-31-2019 01:56 PM

I am using Splunk universal forwarder to forward events from windows event log to Splunk.
The event has data in JSON format which gets posted in Splunk as Message= e.g.

LogName=CustomLog
SourceName=ECEventLogProvider
EventCode=256
EventType=4
Type=Information
ComputerName=CHECHI12
TaskCategory=Network Events
OpCode=None
RecordNumber=133
Keywords=Classic
Message={
    "description" : "SSample text",
    "event_id" : "47",
    "id" : "22",
    "logtype" : "Error",
    "msgnum" : "0",
    "severity" : "Reserved",
    "source" : "Sample source",
    "status" : "New",
    "system_state" : "S4/S5",
    "timestamp" : "00-01-01 00:00:00",
    "timestamp_accuracy" : "Approximate"
}

I am thinking of parsing the json referred by Message in search query by using spath:

"logname=customlog" | spath input=Message| timechart count by event_id

The above search results in duplicate event_id values (e.g. "\"35\",", 35, "\"47\",", 47 etc.) since Splunk by default parses the data and spath parses it again.
How can I discard the Splunk parsed data and only get stats for the parsing specified in search?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

angshul
Path Finder
‎11-04-2019 12:10 PM

but this causes the problem I mentioned above (duplicate events)

I ended up doing following:

  • "logname=customlog" | fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message | spath input=Message output=EventMessage path=Message | spath input=Message output=Description path=description | spath input=Message output=event_id path=event_id | spath input=Message output=timestamp path=timestamp | spath input=Message output=source path=source | eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | timechart count by event_id

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

angshul
Path Finder
‎11-04-2019 12:10 PM

but this causes the problem I mentioned above (duplicate events)

I ended up doing following:

  • "logname=customlog" | fields host, SourceName, EventCode, EventType, Type, ComputerName, TaskCategory, OpCode, RecordNumber, Keywords, Message | spath input=Message output=EventMessage path=Message | spath input=Message output=Description path=description | spath input=Message output=event_id path=event_id | spath input=Message output=timestamp path=timestamp | spath input=Message output=source path=source | eval NewTime=strptime(timestamp,"%Y-%m-%d %H:%M:%S") | eval _time=NewTime | addinfo | where _time>=info_min_time AND (_time<=info_max_time OR info_max_time="+Infinity") | timechart count by event_id

View solution in original post

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎11-09-2019 04:19 PM

OK, come on back and click Accept on your answer to close the question.

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎10-31-2019 02:21 PM

Like this:

index="YouShouldAlwaysSpecifyAnIndex" AND sourcetype="AndSourcetypeToo" AND "logname=customlog"
| spath input=Message
| timechart count(SomeFieldNameThatIsOnlyCreatedBySpathHere) BY event_id
0 Karma
Reply
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!