Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not coming values for message.backendCalls.responseCode field in below query

r_s01
Explorer
‎12-25-2024 12:14 AM

When trying to fetch values using below query then its not showing result in statistics, Reason is i want to fetch message.backendCalls.responseCode also in my statistics response its showing nothing there when i am adding same field at the end of below.

Query :-  

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Outbound" | spath "message.incomingRequest.partner" | rename message.incomingRequest.partner as "SSO_Partner" | search "SSO_Partner"=* | stats distinct_count("UUID") as Count by SSO_Partner, Membership_LOB, message.backendCalls.responseCode



When i am not adding same field then its showing below results,

r_s01_0-1735114326763.png

Below is showing whole JSON from which i am trying to fetch response code.

{ [-]
   @timestamp: 2024-12-25T08:10:57.764Z
   Membership_Category: *******
   Membership_LOB: ****
   UUID: ********
   adminId:*************
   adminLevel: *************
   correlation-id: *************
   dd.env:*************
   dd.service:*************
   dd.span_id:*************
   dd.trace_id:*************
   dd.version:*************
   logger:*************
   message: { [-]
     backendCalls: [ [-]
       { [-]
         elapsedTime: ****
         endPoint:*************
         requestObject: { [+]
         }
         responseCode: 200
         responseObject: { [+]
         }
       }
     ]

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-25-2024 01:28 PM

Several pointers about asking questions:

  1. When sharing structured data, please click "Raw text" before copying from event window.  Splunk's formatted display creates hurdle for volunteers to reverse.
  2. If you expect people to help read some SPL code you illustrate, your illustrated data should include relevant details used in your code.  For example, your illustration does not give indication of message.ssoType, message.incomingRequest.partner, etc. (In the following, I will assume that they are flat paths that require no special treatment.)

The key to solving your problem is to note that JSON node message.backendCalls is an array.  In SPL, the flattened JSON array is denoted with a pair of curly brackets, i.e., message.backendCalls{}.  In addition, IF the raw events has a structure similar to your illustration, message.incomingRequest.partner, message.backendCalls{}.*, etc., should have already been extracted by Splunk at search time.  There is no need for spath.  Further more, placing filters in index search is more efficient than putting them downstream.  Combining these pointers, you should consider

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog"
  message.ssoType="Outbound" message.incomingRequest.partner = *
| rename message.incomingRequest.partner as "SSO_Partner"
| stats distinct_count("UUID") as Count by SSO_Partner, Membership_LOB, message.backendCalls{}.responseCode

 

Your sample data would result in

SSO_PartnerMembership_LOBmessage.backendCalls{}.responseCodeCount
FBICIA2001

Here is a reverse engineered emulation for you to play with and compare with real data

 

| makeresults
| eval _raw = "{
   \"@timestamp\": \"2024-12-25T08:10:57.764Z\",
   \"Membership_Category\": \"*******\",
   \"Membership_LOB\": \"CIA\",
   \"UUID\": \"********\",
   \"adminId\":\"*************\",
   \"adminLevel\": \"*************\",
   \"correlation-id\": \"*************\",
   \"dd.env\":\"*************\",
   \"dd.service\":\"*************\",
   \"dd.span_id\":\"*************\",
   \"dd.trace_id\":\"*************\",
   \"dd.version\":\"*************\",
   \"logger\":\"*************\",
   \"message\": {
     \"incomingRequest\": {
       \"partner\": \"FBI\"
     },
     \"ssoType\": \"Outbound\",
     \"backendCalls\": [
       {
         \"elapsedTime\": \"****\",
         \"endPoint\":\"*************\",
         \"requestObject\": {
         },
         \"responseCode\": 200,
         \"responseObject\": {
         }
       }
     ]
  }
}"
| spath
```
the above emulates
index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog"
  message.ssoType="Outbound" message.incomingRequest.partner = *
```

 

 

 

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

Introduction to Splunk AI

How are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. Lucky for ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Maximizing the Value of Splunk ES 8.x

Splunk Enterprise Security (ES) continues to be a leader in the Gartner Magic Quadrant, reflecting its pivotal ...