Splunk Search

Not able to use JSON fields in search

sabari80
Explorer

This is my sample event

onlinequoteinguser 2023-01-11T10:27:13,843 INFO DigitalPortal.xxxeSubmissionUtil
{"hostName": "xxx80hlxxda044",
"SourceSystem": "null",
"level": "INFO",
"message": "Start | newSubmission",
"serverId": "prod-xxx_xx78",
"userId": "onlinequoteinguser",
"contextMap": [
{"JsonRpcId":"b55296cf-81e1-4xxx-8064-052dxx416725_5"},
{"methodName":"createOrUpdateDraftSubmission"},
{"traceabilityID":"7cxxx367-09aa-4367-87d4-b120526xxxcb"},
{"requestPath":"\/edge\/xxxquoteflow\/letsgetstarted"}],
"applicationName": "xx",
"timestamp": "20230111T102713.841-0500"}

here is my query to retrieve specific event based my my JSON field 

index=app_xx Appid="APP-xxxx" Environment=PROD "contextMap{}.methodName"="createOrUpdateDraftSubmission" 

 

How to make appropriate search?

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

A job for spath.  But first, you need to separate the JSON object.

 

| eval eSubmission = replace(_raw, "onlinequoteinguser .*eSubmissionUtil", "")
| spath input=eSubmission
| fields - data eSubmission

 

Your sample data gives

sourceSystemapplicationNamecontextMap{}.JsonRpcIdcontextMap{}.methodNamecontextMap{}.requestPathcontextMap{}.traceabilityIDhostNamelevelmessageserverIdtimestampuserId
nullxxb55296cf-81e1-4xxx-8064-052dxx416725_5createOrUpdateDraftSubmission/edge/xxxquoteflow/letsgetstarted7cxxx367-09aa-4367-87d4-b120526xxxcbxxx80hlxxda044INFOStart | newSubmissionprod-xxx_xx7820230111T102713.841-0500onlinequoteinguser

Here is the emulation I used.  You can play with it and compare to real data.

 

| makeresults
| fields - _time
| eval data = "onlinequoteinguser 2023-01-11T10:27:13,843 INFO DigitalPortal.xxxeSubmissionUtil
{\"hostName\": \"xxx80hlxxda044\",
\"SourceSystem\": \"null\",
\"level\": \"INFO\",
\"message\": \"Start | newSubmission\",
\"serverId\": \"prod-xxx_xx78\",
\"userId\": \"onlinequoteinguser\",
\"contextMap\": [
{\"JsonRpcId\":\"b55296cf-81e1-4xxx-8064-052dxx416725_5\"},
{\"methodName\":\"createOrUpdateDraftSubmission\"},
{\"traceabilityID\":\"7cxxx367-09aa-4367-87d4-b120526xxxcb\"},
{\"requestPath\":\"\/edge\/xxxquoteflow\/letsgetstarted\"}],
\"applicationName\": \"xx\",
\"timestamp\": \"20230111T102713.841-0500\"}"
``` data emulation above ```

 

 

View solution in original post

Tags (2)

yuanliu
SplunkTrust
SplunkTrust

A job for spath.  But first, you need to separate the JSON object.

 

| eval eSubmission = replace(_raw, "onlinequoteinguser .*eSubmissionUtil", "")
| spath input=eSubmission
| fields - data eSubmission

 

Your sample data gives

sourceSystemapplicationNamecontextMap{}.JsonRpcIdcontextMap{}.methodNamecontextMap{}.requestPathcontextMap{}.traceabilityIDhostNamelevelmessageserverIdtimestampuserId
nullxxb55296cf-81e1-4xxx-8064-052dxx416725_5createOrUpdateDraftSubmission/edge/xxxquoteflow/letsgetstarted7cxxx367-09aa-4367-87d4-b120526xxxcbxxx80hlxxda044INFOStart | newSubmissionprod-xxx_xx7820230111T102713.841-0500onlinequoteinguser

Here is the emulation I used.  You can play with it and compare to real data.

 

| makeresults
| fields - _time
| eval data = "onlinequoteinguser 2023-01-11T10:27:13,843 INFO DigitalPortal.xxxeSubmissionUtil
{\"hostName\": \"xxx80hlxxda044\",
\"SourceSystem\": \"null\",
\"level\": \"INFO\",
\"message\": \"Start | newSubmission\",
\"serverId\": \"prod-xxx_xx78\",
\"userId\": \"onlinequoteinguser\",
\"contextMap\": [
{\"JsonRpcId\":\"b55296cf-81e1-4xxx-8064-052dxx416725_5\"},
{\"methodName\":\"createOrUpdateDraftSubmission\"},
{\"traceabilityID\":\"7cxxx367-09aa-4367-87d4-b120526xxxcb\"},
{\"requestPath\":\"\/edge\/xxxquoteflow\/letsgetstarted\"}],
\"applicationName\": \"xx\",
\"timestamp\": \"20230111T102713.841-0500\"}"
``` data emulation above ```

 

 

Tags (2)

richgalloway
SplunkTrust
SplunkTrust

Please share the props.conf settings for that sourcetype.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...