Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Most Recent Series of Events Selection
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Most Recent Series of Events Selection
bseifert14
Engager
04-23-2018
03:11 PM
I have a series of tests that are performed at random times throughout the week. There are a total of 12 events. Each event contains a series of tests
I have a collection of 12 tests that contain nested data inside. For example:
{results:
{
did_pass: true
unique_id: 12345
test_number= 1
test_statistics: {
another_unique_id: abcde
}
}
{
did_pass: false
unique_id: 67891
test_number= 1
test_statistics: {
another_unique_id: fghijk
}
}
}
{results:
{
did_pass: false
unique_id: 111213
test_number= 2
test_statistics: {
another_unique_id: lmnop
}
}
{
did_pass: true
unique_id: 141516
test_number= 2
test_statistics: {
another_unique_id: qrstuv
}
}
}
Is there any command that would loop through all of these results? I've tried "| dedup test_number" but have gotten nowhere with it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
woodcock
Esteemed Legend
04-23-2018
05:38 PM
Try this:
| makeresults
| eval raw="{results:
{
did_pass: true
unique_id: 12345
test_number= 1
test_statistics: {
another_unique_id: abcde
}
}
{
did_pass: false
unique_id: 67891
test_number= 1
test_statistics: {
another_unique_id: fghijk
}
}
}:::{results:
{
did_pass: false
unique_id: 111213
test_number= 2
test_statistics: {
another_unique_id: lmnop
}
}
{
did_pass: true
unique_id: 141516
test_number= 2
test_statistics: {
another_unique_id: qrstuv
}
}
}"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"
| rex max_match=0 "(?ms)\s*{\s+(?<test>did_pass[^}]+})"
| mvexpand test
| rex field=test "did_pass:\s*(?<did_pass>\S+)\s+unique_id:\s+(?<unique_id>\S+)\s+test_number\s*=\s*(?<test_number>\d+)\s+test_statistics:\s+{\s*another_unique_id:\s*(?<another_unique_id>\S+)"
| dedup test_number
Get Updates on the Splunk Community!
Observe and Secure All Apps with Splunk
Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...
Splunk Decoded: Business Transactions vs Business IQ
It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...
Fastest way to demo Observability
I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...
