Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Not coming values for message.backendCalls.responseCode field in below query

r_s01
Explorer
‎12-25-2024 12:14 AM

When trying to fetch values using below query then its not showing result in statistics, Reason is i want to fetch message.backendCalls.responseCode also in my statistics response its showing nothing there when i am adding same field at the end of below.

Query :-  

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog" message.ssoType="Outbound" | spath "message.incomingRequest.partner" | rename message.incomingRequest.partner as "SSO_Partner" | search "SSO_Partner"=* | stats distinct_count("UUID") as Count by SSO_Partner, Membership_LOB, message.backendCalls.responseCode



When i am not adding same field then its showing below results,

r_s01_0-1735114326763.png

Below is showing whole JSON from which i am trying to fetch response code.

{ [-]
   @timestamp: 2024-12-25T08:10:57.764Z
   Membership_Category: *******
   Membership_LOB: ****
   UUID: ********
   adminId:*************
   adminLevel: *************
   correlation-id: *************
   dd.env:*************
   dd.service:*************
   dd.span_id:*************
   dd.trace_id:*************
   dd.version:*************
   logger:*************
   message: { [-]
     backendCalls: [ [-]
       { [-]
         elapsedTime: ****
         endPoint:*************
         requestObject: { [+]
         }
         responseCode: 200
         responseObject: { [+]
         }
       }
     ]

 

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎12-25-2024 01:28 PM

Several pointers about asking questions:

  1. When sharing structured data, please click "Raw text" before copying from event window.  Splunk's formatted display creates hurdle for volunteers to reverse.
  2. If you expect people to help read some SPL code you illustrate, your illustrated data should include relevant details used in your code.  For example, your illustration does not give indication of message.ssoType, message.incomingRequest.partner, etc. (In the following, I will assume that they are flat paths that require no special treatment.)

The key to solving your problem is to note that JSON node message.backendCalls is an array.  In SPL, the flattened JSON array is denoted with a pair of curly brackets, i.e., message.backendCalls{}.  In addition, IF the raw events has a structure similar to your illustration, message.incomingRequest.partner, message.backendCalls{}.*, etc., should have already been extracted by Splunk at search time.  There is no need for spath.  Further more, placing filters in index search is more efficient than putting them downstream.  Combining these pointers, you should consider

 

index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog"
  message.ssoType="Outbound" message.incomingRequest.partner = *
| rename message.incomingRequest.partner as "SSO_Partner"
| stats distinct_count("UUID") as Count by SSO_Partner, Membership_LOB, message.backendCalls{}.responseCode

 

Your sample data would result in

SSO_PartnerMembership_LOBmessage.backendCalls{}.responseCodeCount
FBICIA2001

Here is a reverse engineered emulation for you to play with and compare with real data

 

| makeresults
| eval _raw = "{
   \"@timestamp\": \"2024-12-25T08:10:57.764Z\",
   \"Membership_Category\": \"*******\",
   \"Membership_LOB\": \"CIA\",
   \"UUID\": \"********\",
   \"adminId\":\"*************\",
   \"adminLevel\": \"*************\",
   \"correlation-id\": \"*************\",
   \"dd.env\":\"*************\",
   \"dd.service\":\"*************\",
   \"dd.span_id\":\"*************\",
   \"dd.trace_id\":\"*************\",
   \"dd.version\":\"*************\",
   \"logger\":\"*************\",
   \"message\": {
     \"incomingRequest\": {
       \"partner\": \"FBI\"
     },
     \"ssoType\": \"Outbound\",
     \"backendCalls\": [
       {
         \"elapsedTime\": \"****\",
         \"endPoint\":\"*************\",
         \"requestObject\": {
         },
         \"responseCode\": 200,
         \"responseObject\": {
         }
       }
     ]
  }
}"
| spath
```
the above emulates
index="uhcportals-prod-logs" sourcetype=kubernetes container_name="myuhc-sso" logger="com.uhg.myuhc.log.SplunkLog"
  message.ssoType="Outbound" message.incomingRequest.partner = *
```

 

 

 

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...