Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Not able to use JSON fields in search

sabari80
Explorer
‎01-11-2023 07:55 AM

This is my sample event

onlinequoteinguser 2023-01-11T10:27:13,843 INFO DigitalPortal.xxxeSubmissionUtil
{"hostName": "xxx80hlxxda044",
"SourceSystem": "null",
"level": "INFO",
"message": "Start | newSubmission",
"serverId": "prod-xxx_xx78",
"userId": "onlinequoteinguser",
"contextMap": [
{"JsonRpcId":"b55296cf-81e1-4xxx-8064-052dxx416725_5"},
{"methodName":"createOrUpdateDraftSubmission"},
{"traceabilityID":"7cxxx367-09aa-4367-87d4-b120526xxxcb"},
{"requestPath":"\/edge\/xxxquoteflow\/letsgetstarted"}],
"applicationName": "xx",
"timestamp": "20230111T102713.841-0500"}

here is my query to retrieve specific event based my my JSON field 

index=app_xx Appid="APP-xxxx" Environment=PROD "contextMap{}.methodName"="createOrUpdateDraftSubmission" 

 

How to make appropriate search?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-11-2023 10:52 AM

A job for spath.  But first, you need to separate the JSON object.

 

| eval eSubmission = replace(_raw, "onlinequoteinguser .*eSubmissionUtil", "")
| spath input=eSubmission
| fields - data eSubmission

 

Your sample data gives

sourceSystemapplicationNamecontextMap{}.JsonRpcIdcontextMap{}.methodNamecontextMap{}.requestPathcontextMap{}.traceabilityIDhostNamelevelmessageserverIdtimestampuserId
nullxxb55296cf-81e1-4xxx-8064-052dxx416725_5createOrUpdateDraftSubmission/edge/xxxquoteflow/letsgetstarted7cxxx367-09aa-4367-87d4-b120526xxxcbxxx80hlxxda044INFOStart | newSubmissionprod-xxx_xx7820230111T102713.841-0500onlinequoteinguser

Here is the emulation I used.  You can play with it and compare to real data.

 

| makeresults
| fields - _time
| eval data = "onlinequoteinguser 2023-01-11T10:27:13,843 INFO DigitalPortal.xxxeSubmissionUtil
{\"hostName\": \"xxx80hlxxda044\",
\"SourceSystem\": \"null\",
\"level\": \"INFO\",
\"message\": \"Start | newSubmission\",
\"serverId\": \"prod-xxx_xx78\",
\"userId\": \"onlinequoteinguser\",
\"contextMap\": [
{\"JsonRpcId\":\"b55296cf-81e1-4xxx-8064-052dxx416725_5\"},
{\"methodName\":\"createOrUpdateDraftSubmission\"},
{\"traceabilityID\":\"7cxxx367-09aa-4367-87d4-b120526xxxcb\"},
{\"requestPath\":\"\/edge\/xxxquoteflow\/letsgetstarted\"}],
\"applicationName\": \"xx\",
\"timestamp\": \"20230111T102713.841-0500\"}"
``` data emulation above ```

 

 

View solution in original post

Tags (2)
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎01-11-2023 10:52 AM

A job for spath.  But first, you need to separate the JSON object.

 

| eval eSubmission = replace(_raw, "onlinequoteinguser .*eSubmissionUtil", "")
| spath input=eSubmission
| fields - data eSubmission

 

Your sample data gives

sourceSystemapplicationNamecontextMap{}.JsonRpcIdcontextMap{}.methodNamecontextMap{}.requestPathcontextMap{}.traceabilityIDhostNamelevelmessageserverIdtimestampuserId
nullxxb55296cf-81e1-4xxx-8064-052dxx416725_5createOrUpdateDraftSubmission/edge/xxxquoteflow/letsgetstarted7cxxx367-09aa-4367-87d4-b120526xxxcbxxx80hlxxda044INFOStart | newSubmissionprod-xxx_xx7820230111T102713.841-0500onlinequoteinguser

Here is the emulation I used.  You can play with it and compare to real data.

 

| makeresults
| fields - _time
| eval data = "onlinequoteinguser 2023-01-11T10:27:13,843 INFO DigitalPortal.xxxeSubmissionUtil
{\"hostName\": \"xxx80hlxxda044\",
\"SourceSystem\": \"null\",
\"level\": \"INFO\",
\"message\": \"Start | newSubmission\",
\"serverId\": \"prod-xxx_xx78\",
\"userId\": \"onlinequoteinguser\",
\"contextMap\": [
{\"JsonRpcId\":\"b55296cf-81e1-4xxx-8064-052dxx416725_5\"},
{\"methodName\":\"createOrUpdateDraftSubmission\"},
{\"traceabilityID\":\"7cxxx367-09aa-4367-87d4-b120526xxxcb\"},
{\"requestPath\":\"\/edge\/xxxquoteflow\/letsgetstarted\"}],
\"applicationName\": \"xx\",
\"timestamp\": \"20230111T102713.841-0500\"}"
``` data emulation above ```

 

 

Tags (2)
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-11-2023 10:47 AM

Please share the props.conf settings for that sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...