Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Most Recent Series of Events Selection

bseifert14
Engager
‎04-23-2018 03:11 PM

I have a series of tests that are performed at random times throughout the week. There are a total of 12 events. Each event contains a series of tests

I have a collection of 12 tests that contain nested data inside. For example:

{results: 
         {
            did_pass: true
            unique_id: 12345
            test_number= 1
            test_statistics: { 
                              another_unique_id: abcde
                              }
           }
           {
             did_pass: false
             unique_id: 67891
             test_number= 1
             test_statistics: { 
                              another_unique_id: fghijk
                               }
             }
}

{results: 
         {
            did_pass: false
            unique_id: 111213
            test_number= 2
            test_statistics: { 
                              another_unique_id: lmnop
                              }
           }
           {
            did_pass: true
               unique_id: 141516
               test_number= 2
               test_statistics: { 
                                 another_unique_id: qrstuv
                                  }
             }
}

Is there any command that would loop through all of these results? I've tried "| dedup test_number" but have gotten nowhere with it.

Tags (2)
0 Karma
Reply

woodcock
Esteemed Legend
‎04-23-2018 05:38 PM

Try this:

| makeresults
| eval raw="{results: 
   {
      did_pass: true
      unique_id: 12345
      test_number= 1
      test_statistics: { 
         another_unique_id: abcde
      }
   }
   {
      did_pass: false
      unique_id: 67891
      test_number= 1
      test_statistics: { 
         another_unique_id: fghijk
      }
   }
}:::{results: 
   {
      did_pass: false
      unique_id: 111213
      test_number= 2
      test_statistics: { 
         another_unique_id: lmnop
      }
   }
   {
      did_pass: true
      unique_id: 141516
      test_number= 2
      test_statistics: { 
         another_unique_id: qrstuv
      }
   }
 }"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex max_match=0 "(?ms)\s*{\s+(?<test>did_pass[^}]+})"
| mvexpand test
| rex field=test "did_pass:\s*(?<did_pass>\S+)\s+unique_id:\s+(?<unique_id>\S+)\s+test_number\s*=\s*(?<test_number>\d+)\s+test_statistics:\s+{\s*another_unique_id:\s*(?<another_unique_id>\S+)"
| dedup test_number
0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...