Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Please help me extract the tags from json format s...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please help me extract the tags from json format so i can show the count and tagname in tabular format
Hemant_h
Engager
10-03-2024
05:56 AM
"c7n:MatchedFilters":
[ "tag:ApplicationFailoverGroup",
"tag:AppTier", "tag:Attributes",
"tag:DBNodes",
"tag:rk_aws_native_account_id",
"tag:rk_cluster_id", "tag:rk_component",
"tag:rk_instance_class", "tag:rk_job_id",
"tag:rk_managed", "tag:rk_object",
"tag:rk_restore_source_region",
"tag:rk_restore_timestamp",
"tag:rk_source_snapshot_native_id",
"tag:rk_source_vm_native_id",
"tag:rk_source_vm_native_name",
"tag:rk_taskchain_id",
"tag:rk_user",
"tag:rk_version" ]- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-03-2024
06:39 AM
| spath c7n:MatchedFilters{} output=MatchedFilters
| foreach mode=multivalue MatchedFilters
[| eval MatchedFilters=trim(MatchedFilters,"tag:")]
| chart count over _time by MatchedFilters useother=f- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
PickleRick
SplunkTrust
10-04-2024
02:38 PM
Out of curiosity - why foreach? mvmap() wouldn't suffice? I find foreach... a bit unsplunky 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hemant_h
Engager
10-03-2024
06:49 AM
Getting this result, i dont see tag name in list
_time NULL
| 2024-10-02 15:45:39.507 | 2 |
| 2024-10-02 15:45:39.508 | 1 |
| 2024-10-02 15:45:39.516 | 1 |
| 2024-10-02 15:46:14.196 | 6 |
| 2024-10-02 15:46:14.199 | 3 |
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-03-2024
08:31 AM
Probably because you gave an incomplete description of the events you are working with, the fields that have already been extracted, the SPL you used to get those results, and what your expected result should look like. We can only work with what you provide. We do not have access to your environment, so we are guessing most of the time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hemant_h
Engager
10-04-2024
01:49 AM
This is the log and we want the list of tag coming under "c7n:MatchedFilters"
4844905100000003",
"GroupId": "sg-016abb0533b5b9082"
},
{
"GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001",
"GroupId": "sg-0257bb3846318d5fd"
},
{
"GroupName": "gsus-prod-net-01-app-4567-prod-1-web-1-sg",
"GroupId": "sg-08a32c6c1fd77d74c"
}
],
"Ipv6Addresses": [],
"MacAddress": "12:82:2d:d7:0e:77",
"NetworkInterfaceId": "eni-0cf7cff30aa78de47",
"OwnerId": "189682858917",
"PrivateDnsName": "ip-172-23-42-148.ec2.internal",
"PrivateIpAddress": "172.23.42.148",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-172-23-42-148.ec2.internal",
"PrivateIpAddress": "172.23.42.148"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-07a45e67dbf4d63aa",
"VpcId": "vpc-0e8954f5da98fe98d",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a",
"GroupId": "sg-04908349d0f791aec"
},
{
"GroupName": "gsus-prod-net-01-web-sg-20220512164845489300000007",
"GroupId": "sg-031fac541f8a85381"
},
{
"GroupName": "gsus-prod-net-01-dtc-sg-20220512164844905100000003",
"GroupId": "sg-016abb0533b5b9082"
},
{
"GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001",
"GroupId": "sg-0257bb3846318d5fd"
},
{
"GroupName": "gsus-prod-net-01-app-4567-prod-1-web-1-sg",
"GroupId": "sg-08a32c6c1fd77d74c"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Repository",
"Value": "https://github.thehartford.com/HIG/gs_tfe_servicebus_app4567"
},
{
"Key": "hig-data-classification",
"Value": "CompanyConfidential"
},
{
"Key": "module_name",
"Value": "terraform-aws-ec2-instance"
},
{
"Key": "BackupGroup",
"Value": "GSUSProdSilverEC2"
},
{
"Key": "DynatraceMonitoring",
"Value": "true"
},
{
"Key": "Domain",
"Value": "ad1.prod"
},
{
"Key": "Comments",
"Value": ""
},
{
"Key": "hig-billing",
"Value": "APP-4567"
},
{
"Key": "hig-environment-type",
"Value": "PROD"
},
{
"Key": "AppTier",
"Value": "Web"
},
{
"Key": "IMDSv2 Date",
"Value": "04/24/2023, 16:15:21"
},
{
"Key": "IMDSv2",
"Value": "Enabled"
},
{
"Key": "Hosted Region",
"Value": "US"
},
{
"Key": "Owner",
"Value": "HIG"
},
{
"Key": "Schedule",
"Value": ""
},
{
"Key": "ServiceTier",
"Value": "Silver"
},
{
"Key": "Name",
"Value": "ServiceBus-app-4567-prod-ue1-web02"
},
{
"Key": "DB Nodes",
"Value": "None"
},
{
"Key": "Description",
"Value": ""
},
{
"Key": "Hostname",
"Value": "a4567e1pdweb002"
},
{
"Key": "ThirdParty",
"Value": "Yes"
},
{
"Key": "OS",
"Value": "Windows 2016"
},
{
"Key": "module_version",
"Value": "v4.3.2"
},
{
"Key": "Environment",
"Value": "PROD"
},
{
"Key": "DataClassification",
"Value": "CompanyConfidential"
},
{
"Key": "AppClass",
"Value": "Silver"
},
{
"Key": "Lifecycle",
"Value": "Provisioning"
},
{
"Key": "hig-planit-appid",
"Value": "APP-4567-PROD"
},
{
"Key": "AppName",
"Value": "Service Bus"
},
{
"Key": "Billing",
"Value": "APP-4567"
},
{
"Key": "Pipeline",
"Value": "https://jenkinsci.thehartford.com/iac-1/job/IAC/job/GS/job/ServiceBus-4567/job/gsus_4567_servicebus-ue1_aws_gsprod/"
},
{
"Key": "map-migrated",
"Value": "d-server-026syrvrlphyig"
},
{
"Key": "PatchingFlag",
"Value": "Tag Applied"
},
{
"Key": "LOB",
"Value": "Global Specialty"
},
{
"Key": "AppOwner",
"Value": "Marty Cabeceiras"
},
{
"Key": "Alias Names",
"Value": "asbngwebprod02"
},
{
"Key": "AppId",
"Value": "APP-4567"
},
{
"Key": "hig-owner",
"Value": "marty.cabeceiras@thehartford.com"
},
{
"Key": "PatchGroup",
"Value": "Non DB Node B"
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 4,
"ThreadsPerCore": 2
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"PlatformDetails": "Windows",
"UsageOperation": "RunInstances:0002",
"UsageOperationUpdateTime": "2023-04-24T15:58:42+00:00",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default"
},
"CurrentInstanceBootMode": "legacy-bios",
"c7n:MatchedFilters": [
"tag:AccountType",
"tag:Attributes",
"tag:EnvironmentType",
"tag:ImageBuilder"
]
},
{
"AmiLaunchIndex": 0,
"ImageId": "ami-08435a7e5e61bc00b",
"InstanceId": "i-0b307f45f965d4222",
"InstanceType": "r5b.2xlarge",
"KeyName": "gsus-prod-net-01-key",
"LaunchTime": "2024-07-19T15:42:09+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1b",
"GroupName": "",
"Tenancy": "default"
},
"Platform": "windows",
"PrivateDnsName": "ip-172-23-43-196.ec2.internal",
"PrivateIpAddress": "172.23.43.196",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-03aa1e87392c5e63d",
"VpcId": "vpc-0e8954f5da98fe98d",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2024-07-19T15:41:21+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0d39da483194fdffa"
}
},
{
"DeviceName": "/dev/xvdf",
"Ebs": {
"AttachTime": "2023-07-06T19:30:04+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-07813f09191a4af20"
}
},
{
"DeviceName": "/dev/xvdg",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-05d213e8588431029"
}
},
{
"DeviceName": "/dev/xvdh",
"Ebs": {
"AttachTime": "2023-07-06T19:29:54+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-08849724290ff4ff0"
}
},
{
"DeviceName": "/dev/xvdi",
"Ebs": {
"AttachTime": "2023-07-06T19:29:54+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0711192d14ffdc4ff"
}
},
{
"DeviceName": "/dev/xvdj",
"Ebs": {
"AttachTime": "2023-07-06T19:30:25+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0d8db3494a8c7254c"
}
},
{
"DeviceName": "/dev/xvdk",
"Ebs": {
"AttachTime": "2023-07-06T19:30:16+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0cba7f29aec3d9a35"
}
},
{
"DeviceName": "/dev/xvdl",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0810a5ac78ecf0e11"
}
},
{
"DeviceName": "/dev/xvdm",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0e4ec2b5f1bf4d871"
}
},
{
"DeviceName": "/dev/xvdn",
"Ebs": {
"AttachTime": "2023-07-06T19:29:54+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-092a40b78baeeac7f"
}
},
{
"DeviceName": "/dev/xvdo",
"Ebs": {
"AttachTime": "2023-07-06T19:29:55+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0b1e2d02d509f3f5e"
}
},
{
"DeviceName": "/dev/xvdp",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-01cabf285c719295f"
}
}
],
"ClientToken": "terraform-20230706192857135700000004",
"EbsOptimized": true,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::189682858917:instance-profile/hig/WindowsEC2Role",
"Id": "AIPASYKP2XOSSBXPPW5LL"
},
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2023-07-06T19:28:58+00:00",
"AttachmentId": "eni-attach-09192f2a4fbf5a17d",
"DeleteOnTermination": false,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a",
"GroupId": "sg-04908349d0f791aec"
},
{
"GroupName": "gsus-prod-net-01-sql-sg-20220512164845082300000004",
"GroupId": "sg-0b214ef19d0a4c0f7"
},
{
"GroupName": "gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001",
"GroupId": "sg-0c2f333cbfb09b29f"
},
{
"GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001",
"GroupId": "sg-0257bb3846318d5fd"
}
],
"Ipv6Addresses": [],
"MacAddress": "12:90:ce:a5:ca:a1",
"NetworkInterfaceId": "eni-0086b400faa99451d",
"OwnerId": "189682858917",
"PrivateDnsName": "ip-172-23-43-196.ec2.internal",
"PrivateIpAddress": "172.23.43.196",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-172-23-43-196.ec2.internal",
"PrivateIpAddress": "172.23.43.196"
},
{
"Primary": false,
"PrivateDnsName": "ip-172-23-43-163.ec2.internal",
"PrivateIpAddress": "172.23.43.163"
},
{
"Primary": false,
"PrivateDnsName": "ip-172-23-43-141.ec2.internal",
"PrivateIpAddress": "172.23.43.141"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-03aa1e87392c5e63d",
"VpcId": "vpc-0e8954f5da98fe98d",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a",
"GroupId": "sg-04908349d0f791aec"
},
{
"GroupName": "gsus-prod-net-01-sql-sg-20220512164845082300000004",
"GroupId": "sg-0b214ef19d0a4c0f7"
},
{
"GroupName": "gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001",
"GroupId": "sg-0c2f333cbfb09b29f"
},
{
"GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001",
"GroupId": "sg-0257bb3846318d5fd"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Description",
"Value": ""
},
{
"Key": "hig-owner",
"Value": "mahesh.vidyasagar@thehartford.com"
},
{
"Key": "Billing",
"Value": "APP-4587"
},
{
"Key": "Repository",
"Value": "https://github.thehartford.com/HIG/gs_tfe_peoplesoft_app4587"
},
{
"Key": "Schedule",
"Value": "None"
},
{
"Key": "mssql_adou",
"Value": "OU=SQL-GS,OU=Windows,OU=Cloud,OU=Servers,DC=ad1,DC=prod"
},
{
"Key": "child_module_name",
"Value": "terraform-aws-ec2-db-mssql"
},
{
"Key": "mssql_instancename",
"Value": "MSSQLSERVER"
},
{
"Key": "module_name",
"Value": "terraform-aws-ec2-instance"
},
{
"Key": "Pipeline",
"Value": "https://jenkinsci.thehartford.com/iac-1/job/IAC/job/GS/job/PeopleSoft-4587/job/gsus_4587_peoplesoft_aws_gsprod/"
},
{
"Key": "IMDSv2",
"Value": "Enabled"
},
{
"Key": "IMDSv2 Date",
"Value": "07/06/2023, 19:30:24"
},
{
"Key": "PatchGroup",
"Value": "Multiple DB Node AZ2"
},
{
"Key": "module_version",
"Value": "v4.0.6"
},
{
"Key": "BackupDBGroup",
"Value": "ec2-sqldb-prod-silver"
},
{
"Key": "mssql_version",
"Value": "2019"
},
{
"Key": "AppOwner",
"Value": "Mahesh Vidyasagar"
},
{
"Key": "hig-planit-appid",
"Value": "APP-4587-PROD"
},
{
"Key": "ServiceTier",
"Value": "Silver"
},
{
"Key": "DBNodes",
"Value": "Secondary"
},
{
"Key": "Hostname",
"Value": "a4587ue1pwsag06"
},
{
"Key": "mssql_datavolumes",
"Value": "4"
},
{
"Key": "mssql_installtype",
"Value": "SAG"
},
{
"Key": "hig-data-classification",
"Value": "CompanyConfidential"
},
{
"Key": "PatchingFlag",
"Value": "Tag Applied"
},
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Owner",
"Value": "HIG"
},
{
"Key": "hig-billing",
"Value": "APP-4587"
},
{
"Key": "mssql_environment",
"Value": "prod"
},
{
"Key": "Domain",
"Value": "ad1.prod"
},
{
"Key": "AppName",
"Value": "PeopleSoft"
},
{
"Key": "ThirdParty",
"Value": "No"
},
{
"Key": "child_module_version",
"Value": "v2.2.1"
},
{
"Key": "Hosted Region",
"Value": "US"
},
{
"Key": "Name",
"Value": "PeopleSoft-4587-PROD-sag-06"
},
{
"Key": "BackupGroup",
"Value": "ec2-nobackup"
},
{
"Key": "LOB",
"Value": "Global Specialty"
},
{
"Key": "Patching Group",
"Value": "Multiple DB Node AZ1"
},
{
"Key": "backup_s3bucket",
"Value": "gs-gsus-prod-net-01-sqlbackup-us-east-1"
},
{
"Key": "DynatraceMonitoring",
"Value": "true"
},
{
"Key": "mssql_collation",
"Value": "Latin1_General_BIN"
},
{
"Key": "DataClassification",
"Value": "CompanyConfidential"
},
{
"Key": "AppId",
"Value": "APP-4587"
},
{
"Key": "AppTier",
"Value": "DB"
},
{
"Key": "hig-environment-type",
"Value": "PROD"
},
{
"Key": "backup_s3bucketkms",
"Value": "arn:aws:kms:us-east-1:189682858917:key/e4b94c9a-82ad-4322-98ec-48d610f6548b"
},
{
"Key": "Comments",
"Value": ""
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 4,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"PlatformDetails": "Windows",
"UsageOperation": "RunInstances:0002",
"UsageOperationUpdateTime": "2023-07-06T19:28:58+00:00",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default"
},
"CurrentInstanceBootMode": "legacy-bios",
"c7n:MatchedFilters": [
"tag:AccountType",
"tag:Attributes",
"tag:EnvironmentType",
"tag:ImageBuilder"
]
},
{- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
10-05-2024
04:29 PM
To ask an answerable data analytics question, follow these golden rules; nay, call them the four commandments:
- Illustrate data input (in raw text, anonymize as needed), whether they are raw events or output from a search that volunteers here do not have to look at.
- Illustrate the desired output from illustrated data.
- Explain the logic between illustrated data and desired output without SPL.
- If you also illustrate attempted SPL, illustrate actual output and compare with desired output, explain why they look different to you if that is not painfully obvious.
Let's check.
- Your sample data are JSON fragments, not a complete JSON object. Even the last update, no one can tell how deep that structure goes. In other words, which exact JSON path leads to the subnode c7n:MatchedFilters. I understand that your event size is enormous so you cannot show a complete sample. But you should show the complete structure of the object.
- The phrase "show the count and tagname in tabular format" in the title seems to be an attempt to describe desired output. But there are a thousand ways to show count and tagname in tabular format. What is even a "count" in your text?
- No description of logic.
- N/A
Without these, you are effectively asking volunteers to read your mind. That is not a fair ask.
Now, based on your last update, we can see that c7n:MatchedFilters is not a top node in your raw data. It is a subnode in a very large array. Is this large array a top node of your raw data? If not, how many upper paths are there before we reach c7n:MatchedFilters? Without an exact answer to this, there is no good answer to your question. In the following, I will assume "yes" to this, i.e., I will assume that somekey[c7n:MatchedFilters] is the correct path. (Or, in SPL flattened notation, somekey{}.c7n:MatchedFilters{}.
I will further assume that "show the count and tagname in tabular format" means to count events grouped by the string following "tag:" in each value of c7n:MatchedFilters. In other words, I assume that this table is what you look for:
| tagName | count |
| AccountType | 1 |
| AppTier | 1 |
| ApplicationFailoverGroup | 1 |
| Attributes | 2 |
| DBNodes | 1 |
| EnvironmentType | 1 |
| ImageBuilder | 1 |
| rk_aws_native_account_id | 1 |
| rk_cluster_id | 1 |
| rk_component | 1 |
| rk_instance_class | 1 |
| rk_job_id | 1 |
| rk_managed | 1 |
| rk_object | 1 |
| rk_restore_source_region | 1 |
| rk_restore_timestamp | 1 |
| rk_source_snapshot_native_id | 1 |
| rk_source_vm_native_id | 1 |
| rk_source_vm_native_name | 1 |
| rk_taskchain_id | 1 |
| rk_user | 1 |
| rk_version | 1 |
The above count is based on the fragments you pasted. I constructed the following as a valid JSON object to mimic the structure. If this is not the correct structure, you need to go back to the four commandments and start over.
{
"somekey": [
{
"AmiLaunchIndex": 0,
"ImageId": "ami-08435a7e5e61bc00b",
"InstanceId": "i-0b307f45f965d4222",
"InstanceType": "r5b.2xlarge",
"KeyName": "gsus-prod-net-01-key",
"LaunchTime": "2024-07-19T15:42:09+00:00",
"Monitoring": {
"State": "disabled"
},
"Placement": {
"AvailabilityZone": "us-east-1b",
"GroupName": "",
"Tenancy": "default"
},
"Platform": "windows",
"PrivateDnsName": "ip-172-23-43-196.ec2.internal",
"PrivateIpAddress": "172.23.43.196",
"ProductCodes": [],
"PublicDnsName": "",
"State": {
"Code": 16,
"Name": "running"
},
"StateTransitionReason": "",
"SubnetId": "subnet-03aa1e87392c5e63d",
"VpcId": "vpc-0e8954f5da98fe98d",
"Architecture": "x86_64",
"BlockDeviceMappings": [
{
"DeviceName": "/dev/sda1",
"Ebs": {
"AttachTime": "2024-07-19T15:41:21+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0d39da483194fdffa"
}
},
{
"DeviceName": "/dev/xvdf",
"Ebs": {
"AttachTime": "2023-07-06T19:30:04+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-07813f09191a4af20"
}
},
{
"DeviceName": "/dev/xvdg",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-05d213e8588431029"
}
},
{
"DeviceName": "/dev/xvdh",
"Ebs": {
"AttachTime": "2023-07-06T19:29:54+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-08849724290ff4ff0"
}
},
{
"DeviceName": "/dev/xvdi",
"Ebs": {
"AttachTime": "2023-07-06T19:29:54+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0711192d14ffdc4ff"
}
},
{
"DeviceName": "/dev/xvdj",
"Ebs": {
"AttachTime": "2023-07-06T19:30:25+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0d8db3494a8c7254c"
}
},
{
"DeviceName": "/dev/xvdk",
"Ebs": {
"AttachTime": "2023-07-06T19:30:16+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0cba7f29aec3d9a35"
}
},
{
"DeviceName": "/dev/xvdl",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0810a5ac78ecf0e11"
}
},
{
"DeviceName": "/dev/xvdm",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0e4ec2b5f1bf4d871"
}
},
{
"DeviceName": "/dev/xvdn",
"Ebs": {
"AttachTime": "2023-07-06T19:29:54+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-092a40b78baeeac7f"
}
},
{
"DeviceName": "/dev/xvdo",
"Ebs": {
"AttachTime": "2023-07-06T19:29:55+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-0b1e2d02d509f3f5e"
}
},
{
"DeviceName": "/dev/xvdp",
"Ebs": {
"AttachTime": "2023-07-06T19:30:15+00:00",
"DeleteOnTermination": false,
"Status": "attached",
"VolumeId": "vol-01cabf285c719295f"
}
}
],
"ClientToken": "terraform-20230706192857135700000004",
"EbsOptimized": true,
"EnaSupport": true,
"Hypervisor": "xen",
"IamInstanceProfile": {
"Arn": "arn:aws:iam::189682858917:instance-profile/hig/WindowsEC2Role",
"Id": "AIPASYKP2XOSSBXPPW5LL"
},
"NetworkInterfaces": [
{
"Attachment": {
"AttachTime": "2023-07-06T19:28:58+00:00",
"AttachmentId": "eni-attach-09192f2a4fbf5a17d",
"DeleteOnTermination": false,
"DeviceIndex": 0,
"Status": "attached",
"NetworkCardIndex": 0
},
"Description": "",
"Groups": [
{
"GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a",
"GroupId": "sg-04908349d0f791aec"
},
{
"GroupName": "gsus-prod-net-01-sql-sg-20220512164845082300000004",
"GroupId": "sg-0b214ef19d0a4c0f7"
},
{
"GroupName": "gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001",
"GroupId": "sg-0c2f333cbfb09b29f"
},
{
"GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001",
"GroupId": "sg-0257bb3846318d5fd"
}
],
"Ipv6Addresses": [],
"MacAddress": "12:90:ce:a5:ca:a1",
"NetworkInterfaceId": "eni-0086b400faa99451d",
"OwnerId": "189682858917",
"PrivateDnsName": "ip-172-23-43-196.ec2.internal",
"PrivateIpAddress": "172.23.43.196",
"PrivateIpAddresses": [
{
"Primary": true,
"PrivateDnsName": "ip-172-23-43-196.ec2.internal",
"PrivateIpAddress": "172.23.43.196"
},
{
"Primary": false,
"PrivateDnsName": "ip-172-23-43-163.ec2.internal",
"PrivateIpAddress": "172.23.43.163"
},
{
"Primary": false,
"PrivateDnsName": "ip-172-23-43-141.ec2.internal",
"PrivateIpAddress": "172.23.43.141"
}
],
"SourceDestCheck": true,
"Status": "in-use",
"SubnetId": "subnet-03aa1e87392c5e63d",
"VpcId": "vpc-0e8954f5da98fe98d",
"InterfaceType": "interface"
}
],
"RootDeviceName": "/dev/sda1",
"RootDeviceType": "ebs",
"SecurityGroups": [
{
"GroupName": "gsus-prod-net-01-cmdb-sg-2022051216484634970000000a",
"GroupId": "sg-04908349d0f791aec"
},
{
"GroupName": "gsus-prod-net-01-sql-sg-20220512164845082300000004",
"GroupId": "sg-0b214ef19d0a4c0f7"
},
{
"GroupName": "gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001",
"GroupId": "sg-0c2f333cbfb09b29f"
},
{
"GroupName": "gsus-prod-net-01-win-sg-20220512164844866600000001",
"GroupId": "sg-0257bb3846318d5fd"
}
],
"SourceDestCheck": true,
"Tags": [
{
"Key": "Description",
"Value": ""
},
{
"Key": "hig-owner",
"Value": "mahesh.vidyasagar@thehartford.com"
},
{
"Key": "Billing",
"Value": "APP-4587"
},
{
"Key": "Repository",
"Value": "https://github.thehartford.com/HIG/gs_tfe_peoplesoft_app4587"
},
{
"Key": "Schedule",
"Value": "None"
},
{
"Key": "mssql_adou",
"Value": "OU=SQL-GS,OU=Windows,OU=Cloud,OU=Servers,DC=ad1,DC=prod"
},
{
"Key": "child_module_name",
"Value": "terraform-aws-ec2-db-mssql"
},
{
"Key": "mssql_instancename",
"Value": "MSSQLSERVER"
},
{
"Key": "module_name",
"Value": "terraform-aws-ec2-instance"
},
{
"Key": "Pipeline",
"Value": "https://jenkinsci.thehartford.com/iac-1/job/IAC/job/GS/job/PeopleSoft-4587/job/gsus_4587_peoplesoft_aws_gsprod/"
},
{
"Key": "IMDSv2",
"Value": "Enabled"
},
{
"Key": "IMDSv2 Date",
"Value": "07/06/2023, 19:30:24"
},
{
"Key": "PatchGroup",
"Value": "Multiple DB Node AZ2"
},
{
"Key": "module_version",
"Value": "v4.0.6"
},
{
"Key": "BackupDBGroup",
"Value": "ec2-sqldb-prod-silver"
},
{
"Key": "mssql_version",
"Value": "2019"
},
{
"Key": "AppOwner",
"Value": "Mahesh Vidyasagar"
},
{
"Key": "hig-planit-appid",
"Value": "APP-4587-PROD"
},
{
"Key": "ServiceTier",
"Value": "Silver"
},
{
"Key": "DBNodes",
"Value": "Secondary"
},
{
"Key": "Hostname",
"Value": "a4587ue1pwsag06"
},
{
"Key": "mssql_datavolumes",
"Value": "4"
},
{
"Key": "mssql_installtype",
"Value": "SAG"
},
{
"Key": "hig-data-classification",
"Value": "CompanyConfidential"
},
{
"Key": "PatchingFlag",
"Value": "Tag Applied"
},
{
"Key": "Environment",
"Value": "prod"
},
{
"Key": "Owner",
"Value": "HIG"
},
{
"Key": "hig-billing",
"Value": "APP-4587"
},
{
"Key": "mssql_environment",
"Value": "prod"
},
{
"Key": "Domain",
"Value": "ad1.prod"
},
{
"Key": "AppName",
"Value": "PeopleSoft"
},
{
"Key": "ThirdParty",
"Value": "No"
},
{
"Key": "child_module_version",
"Value": "v2.2.1"
},
{
"Key": "Hosted Region",
"Value": "US"
},
{
"Key": "Name",
"Value": "PeopleSoft-4587-PROD-sag-06"
},
{
"Key": "BackupGroup",
"Value": "ec2-nobackup"
},
{
"Key": "LOB",
"Value": "Global Specialty"
},
{
"Key": "Patching Group",
"Value": "Multiple DB Node AZ1"
},
{
"Key": "backup_s3bucket",
"Value": "gs-gsus-prod-net-01-sqlbackup-us-east-1"
},
{
"Key": "DynatraceMonitoring",
"Value": "true"
},
{
"Key": "mssql_collation",
"Value": "Latin1_General_BIN"
},
{
"Key": "DataClassification",
"Value": "CompanyConfidential"
},
{
"Key": "AppId",
"Value": "APP-4587"
},
{
"Key": "AppTier",
"Value": "DB"
},
{
"Key": "hig-environment-type",
"Value": "PROD"
},
{
"Key": "backup_s3bucketkms",
"Value": "arn:aws:kms:us-east-1:189682858917:key/e4b94c9a-82ad-4322-98ec-48d610f6548b"
},
{
"Key": "Comments",
"Value": ""
}
],
"VirtualizationType": "hvm",
"CpuOptions": {
"CoreCount": 4,
"ThreadsPerCore": 1
},
"CapacityReservationSpecification": {
"CapacityReservationPreference": "open"
},
"HibernationOptions": {
"Configured": false
},
"MetadataOptions": {
"State": "applied",
"HttpTokens": "required",
"HttpPutResponseHopLimit": 1,
"HttpEndpoint": "enabled",
"HttpProtocolIpv6": "disabled",
"InstanceMetadataTags": "disabled"
},
"EnclaveOptions": {
"Enabled": false
},
"PlatformDetails": "Windows",
"UsageOperation": "RunInstances:0002",
"UsageOperationUpdateTime": "2023-07-06T19:28:58+00:00",
"PrivateDnsNameOptions": {
"HostnameType": "ip-name",
"EnableResourceNameDnsARecord": false,
"EnableResourceNameDnsAAAARecord": false
},
"MaintenanceOptions": {
"AutoRecovery": "default"
},
"CurrentInstanceBootMode": "legacy-bios",
"someOtherStuff": "othervalue",
"c7n:MatchedFilters": [
"tag:AccountType",
"tag:Attributes",
"tag:EnvironmentType",
"tag:ImageBuilder"
]
},
{
"AmiLaunchIndex": 1,
"someOtherStuff": "othervalue",
"c7n:MatchedFilters": [
"tag:ApplicationFailoverGroup",
"tag:AppTier",
"tag:Attributes",
"tag:DBNodes",
"tag:rk_aws_native_account_id",
"tag:rk_cluster_id", "tag:rk_component",
"tag:rk_instance_class", "tag:rk_job_id",
"tag:rk_managed", "tag:rk_object",
"tag:rk_restore_source_region",
"tag:rk_restore_timestamp",
"tag:rk_source_snapshot_native_id",
"tag:rk_source_vm_native_id",
"tag:rk_source_vm_native_name",
"tag:rk_taskchain_id",
"tag:rk_user",
"tag:rk_version"
]
}
]
}
Basically, I took the valid element from your latest sample, and added the fragment containing the c7n:MatchedFilters key as a second element of top level key somekey. So, the second element does not have all the other keys as they are not of interest to this particular question.
After this construction, I think I get a handle to why the basic technique doesn't work. But let me explain the basic technique first.
This is assuming that Splunk search head already extracted all fields from raw data, which is the norm. But your raw events are so huge, even that single valid array element you posted is >15KB. Splunk has this default in limits.conf
[spath]
# Number of characters to read from an XML or JSON event when
# auto extracting.
extraction_cutoff = 5000
You can increase this to be larger than the maximum size of your events. But that may require a lot of RAM.
Without touching extraction_cutoff, you can directly reach c7n:MatchedFilters with spath command. Like this:
| spath path=somekey{}
| spath input=somekey{} path=c7n:MatchedFilters{} output=tagName
| stats count by tagName
| eval tagName = replace(tagName, "tag:", "")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yuanliu
SplunkTrust
10-05-2024
04:31 PM
The following is the emulation to produce the mock data. Play with it and compare with real data.
| makeresults
| fields - _*
| eval _raw = "{
\"somekey\": [
{
\"AmiLaunchIndex\": 0,
\"ImageId\": \"ami-08435a7e5e61bc00b\",
\"InstanceId\": \"i-0b307f45f965d4222\",
\"InstanceType\": \"r5b.2xlarge\",
\"KeyName\": \"gsus-prod-net-01-key\",
\"LaunchTime\": \"2024-07-19T15:42:09+00:00\",
\"Monitoring\": {
\"State\": \"disabled\"
},
\"Placement\": {
\"AvailabilityZone\": \"us-east-1b\",
\"GroupName\": \"\",
\"Tenancy\": \"default\"
},
\"Platform\": \"windows\",
\"PrivateDnsName\": \"ip-172-23-43-196.ec2.internal\",
\"PrivateIpAddress\": \"172.23.43.196\",
\"ProductCodes\": [],
\"PublicDnsName\": \"\",
\"State\": {
\"Code\": 16,
\"Name\": \"running\"
},
\"StateTransitionReason\": \"\",
\"SubnetId\": \"subnet-03aa1e87392c5e63d\",
\"VpcId\": \"vpc-0e8954f5da98fe98d\",
\"Architecture\": \"x86_64\",
\"BlockDeviceMappings\": [
{
\"DeviceName\": \"/dev/sda1\",
\"Ebs\": {
\"AttachTime\": \"2024-07-19T15:41:21+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0d39da483194fdffa\"
}
},
{
\"DeviceName\": \"/dev/xvdf\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:04+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-07813f09191a4af20\"
}
},
{
\"DeviceName\": \"/dev/xvdg\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:15+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-05d213e8588431029\"
}
},
{
\"DeviceName\": \"/dev/xvdh\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:29:54+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-08849724290ff4ff0\"
}
},
{
\"DeviceName\": \"/dev/xvdi\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:29:54+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0711192d14ffdc4ff\"
}
},
{
\"DeviceName\": \"/dev/xvdj\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:25+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0d8db3494a8c7254c\"
}
},
{
\"DeviceName\": \"/dev/xvdk\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:16+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0cba7f29aec3d9a35\"
}
},
{
\"DeviceName\": \"/dev/xvdl\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:15+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0810a5ac78ecf0e11\"
}
},
{
\"DeviceName\": \"/dev/xvdm\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:15+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0e4ec2b5f1bf4d871\"
}
},
{
\"DeviceName\": \"/dev/xvdn\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:29:54+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-092a40b78baeeac7f\"
}
},
{
\"DeviceName\": \"/dev/xvdo\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:29:55+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-0b1e2d02d509f3f5e\"
}
},
{
\"DeviceName\": \"/dev/xvdp\",
\"Ebs\": {
\"AttachTime\": \"2023-07-06T19:30:15+00:00\",
\"DeleteOnTermination\": false,
\"Status\": \"attached\",
\"VolumeId\": \"vol-01cabf285c719295f\"
}
}
],
\"ClientToken\": \"terraform-20230706192857135700000004\",
\"EbsOptimized\": true,
\"EnaSupport\": true,
\"Hypervisor\": \"xen\",
\"IamInstanceProfile\": {
\"Arn\": \"arn:aws:iam::189682858917:instance-profile/hig/WindowsEC2Role\",
\"Id\": \"AIPASYKP2XOSSBXPPW5LL\"
},
\"NetworkInterfaces\": [
{
\"Attachment\": {
\"AttachTime\": \"2023-07-06T19:28:58+00:00\",
\"AttachmentId\": \"eni-attach-09192f2a4fbf5a17d\",
\"DeleteOnTermination\": false,
\"DeviceIndex\": 0,
\"Status\": \"attached\",
\"NetworkCardIndex\": 0
},
\"Description\": \"\",
\"Groups\": [
{
\"GroupName\": \"gsus-prod-net-01-cmdb-sg-2022051216484634970000000a\",
\"GroupId\": \"sg-04908349d0f791aec\"
},
{
\"GroupName\": \"gsus-prod-net-01-sql-sg-20220512164845082300000004\",
\"GroupId\": \"sg-0b214ef19d0a4c0f7\"
},
{
\"GroupName\": \"gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001\",
\"GroupId\": \"sg-0c2f333cbfb09b29f\"
},
{
\"GroupName\": \"gsus-prod-net-01-win-sg-20220512164844866600000001\",
\"GroupId\": \"sg-0257bb3846318d5fd\"
}
],
\"Ipv6Addresses\": [],
\"MacAddress\": \"12:90:ce:a5:ca:a1\",
\"NetworkInterfaceId\": \"eni-0086b400faa99451d\",
\"OwnerId\": \"189682858917\",
\"PrivateDnsName\": \"ip-172-23-43-196.ec2.internal\",
\"PrivateIpAddress\": \"172.23.43.196\",
\"PrivateIpAddresses\": [
{
\"Primary\": true,
\"PrivateDnsName\": \"ip-172-23-43-196.ec2.internal\",
\"PrivateIpAddress\": \"172.23.43.196\"
},
{
\"Primary\": false,
\"PrivateDnsName\": \"ip-172-23-43-163.ec2.internal\",
\"PrivateIpAddress\": \"172.23.43.163\"
},
{
\"Primary\": false,
\"PrivateDnsName\": \"ip-172-23-43-141.ec2.internal\",
\"PrivateIpAddress\": \"172.23.43.141\"
}
],
\"SourceDestCheck\": true,
\"Status\": \"in-use\",
\"SubnetId\": \"subnet-03aa1e87392c5e63d\",
\"VpcId\": \"vpc-0e8954f5da98fe98d\",
\"InterfaceType\": \"interface\"
}
],
\"RootDeviceName\": \"/dev/sda1\",
\"RootDeviceType\": \"ebs\",
\"SecurityGroups\": [
{
\"GroupName\": \"gsus-prod-net-01-cmdb-sg-2022051216484634970000000a\",
\"GroupId\": \"sg-04908349d0f791aec\"
},
{
\"GroupName\": \"gsus-prod-net-01-sql-sg-20220512164845082300000004\",
\"GroupId\": \"sg-0b214ef19d0a4c0f7\"
},
{
\"GroupName\": \"gsus-prod-net-01-app-4587-v2sql-sg-20230707183929669400000001\",
\"GroupId\": \"sg-0c2f333cbfb09b29f\"
},
{
\"GroupName\": \"gsus-prod-net-01-win-sg-20220512164844866600000001\",
\"GroupId\": \"sg-0257bb3846318d5fd\"
}
],
\"SourceDestCheck\": true,
\"Tags\": [
{
\"Key\": \"Description\",
\"Value\": \"\"
},
{
\"Key\": \"hig-owner\",
\"Value\": \"mahesh.vidyasagar@thehartford.com\"
},
{
\"Key\": \"Billing\",
\"Value\": \"APP-4587\"
},
{
\"Key\": \"Repository\",
\"Value\": \"https://github.thehartford.com/HIG/gs_tfe_peoplesoft_app4587\"
},
{
\"Key\": \"Schedule\",
\"Value\": \"None\"
},
{
\"Key\": \"mssql_adou\",
\"Value\": \"OU=SQL-GS,OU=Windows,OU=Cloud,OU=Servers,DC=ad1,DC=prod\"
},
{
\"Key\": \"child_module_name\",
\"Value\": \"terraform-aws-ec2-db-mssql\"
},
{
\"Key\": \"mssql_instancename\",
\"Value\": \"MSSQLSERVER\"
},
{
\"Key\": \"module_name\",
\"Value\": \"terraform-aws-ec2-instance\"
},
{
\"Key\": \"Pipeline\",
\"Value\": \"https://jenkinsci.thehartford.com/iac-1/job/IAC/job/GS/job/PeopleSoft-4587/job/gsus_4587_peoplesoft_aws_gsprod/\"
},
{
\"Key\": \"IMDSv2\",
\"Value\": \"Enabled\"
},
{
\"Key\": \"IMDSv2 Date\",
\"Value\": \"07/06/2023, 19:30:24\"
},
{
\"Key\": \"PatchGroup\",
\"Value\": \"Multiple DB Node AZ2\"
},
{
\"Key\": \"module_version\",
\"Value\": \"v4.0.6\"
},
{
\"Key\": \"BackupDBGroup\",
\"Value\": \"ec2-sqldb-prod-silver\"
},
{
\"Key\": \"mssql_version\",
\"Value\": \"2019\"
},
{
\"Key\": \"AppOwner\",
\"Value\": \"Mahesh Vidyasagar\"
},
{
\"Key\": \"hig-planit-appid\",
\"Value\": \"APP-4587-PROD\"
},
{
\"Key\": \"ServiceTier\",
\"Value\": \"Silver\"
},
{
\"Key\": \"DBNodes\",
\"Value\": \"Secondary\"
},
{
\"Key\": \"Hostname\",
\"Value\": \"a4587ue1pwsag06\"
},
{
\"Key\": \"mssql_datavolumes\",
\"Value\": \"4\"
},
{
\"Key\": \"mssql_installtype\",
\"Value\": \"SAG\"
},
{
\"Key\": \"hig-data-classification\",
\"Value\": \"CompanyConfidential\"
},
{
\"Key\": \"PatchingFlag\",
\"Value\": \"Tag Applied\"
},
{
\"Key\": \"Environment\",
\"Value\": \"prod\"
},
{
\"Key\": \"Owner\",
\"Value\": \"HIG\"
},
{
\"Key\": \"hig-billing\",
\"Value\": \"APP-4587\"
},
{
\"Key\": \"mssql_environment\",
\"Value\": \"prod\"
},
{
\"Key\": \"Domain\",
\"Value\": \"ad1.prod\"
},
{
\"Key\": \"AppName\",
\"Value\": \"PeopleSoft\"
},
{
\"Key\": \"ThirdParty\",
\"Value\": \"No\"
},
{
\"Key\": \"child_module_version\",
\"Value\": \"v2.2.1\"
},
{
\"Key\": \"Hosted Region\",
\"Value\": \"US\"
},
{
\"Key\": \"Name\",
\"Value\": \"PeopleSoft-4587-PROD-sag-06\"
},
{
\"Key\": \"BackupGroup\",
\"Value\": \"ec2-nobackup\"
},
{
\"Key\": \"LOB\",
\"Value\": \"Global Specialty\"
},
{
\"Key\": \"Patching Group\",
\"Value\": \"Multiple DB Node AZ1\"
},
{
\"Key\": \"backup_s3bucket\",
\"Value\": \"gs-gsus-prod-net-01-sqlbackup-us-east-1\"
},
{
\"Key\": \"DynatraceMonitoring\",
\"Value\": \"true\"
},
{
\"Key\": \"mssql_collation\",
\"Value\": \"Latin1_General_BIN\"
},
{
\"Key\": \"DataClassification\",
\"Value\": \"CompanyConfidential\"
},
{
\"Key\": \"AppId\",
\"Value\": \"APP-4587\"
},
{
\"Key\": \"AppTier\",
\"Value\": \"DB\"
},
{
\"Key\": \"hig-environment-type\",
\"Value\": \"PROD\"
},
{
\"Key\": \"backup_s3bucketkms\",
\"Value\": \"arn:aws:kms:us-east-1:189682858917:key/e4b94c9a-82ad-4322-98ec-48d610f6548b\"
},
{
\"Key\": \"Comments\",
\"Value\": \"\"
}
],
\"VirtualizationType\": \"hvm\",
\"CpuOptions\": {
\"CoreCount\": 4,
\"ThreadsPerCore\": 1
},
\"CapacityReservationSpecification\": {
\"CapacityReservationPreference\": \"open\"
},
\"HibernationOptions\": {
\"Configured\": false
},
\"MetadataOptions\": {
\"State\": \"applied\",
\"HttpTokens\": \"required\",
\"HttpPutResponseHopLimit\": 1,
\"HttpEndpoint\": \"enabled\",
\"HttpProtocolIpv6\": \"disabled\",
\"InstanceMetadataTags\": \"disabled\"
},
\"EnclaveOptions\": {
\"Enabled\": false
},
\"PlatformDetails\": \"Windows\",
\"UsageOperation\": \"RunInstances:0002\",
\"UsageOperationUpdateTime\": \"2023-07-06T19:28:58+00:00\",
\"PrivateDnsNameOptions\": {
\"HostnameType\": \"ip-name\",
\"EnableResourceNameDnsARecord\": false,
\"EnableResourceNameDnsAAAARecord\": false
},
\"MaintenanceOptions\": {
\"AutoRecovery\": \"default\"
},
\"CurrentInstanceBootMode\": \"legacy-bios\",
\"someOtherStuff\": \"othervalue\",
\"c7n:MatchedFilters\": [
\"tag:AccountType\",
\"tag:Attributes\",
\"tag:EnvironmentType\",
\"tag:ImageBuilder\"
]
},
{
\"AmiLaunchIndex\": 1,
\"someOtherStuff\": \"othervalue\",
\"c7n:MatchedFilters\": [
\"tag:ApplicationFailoverGroup\",
\"tag:AppTier\",
\"tag:Attributes\",
\"tag:DBNodes\",
\"tag:rk_aws_native_account_id\",
\"tag:rk_cluster_id\", \"tag:rk_component\",
\"tag:rk_instance_class\", \"tag:rk_job_id\",
\"tag:rk_managed\", \"tag:rk_object\",
\"tag:rk_restore_source_region\",
\"tag:rk_restore_timestamp\",
\"tag:rk_source_snapshot_native_id\",
\"tag:rk_source_vm_native_id\",
\"tag:rk_source_vm_native_name\",
\"tag:rk_taskchain_id\",
\"tag:rk_user\",
\"tag:rk_version\"
]
}
]
}"
| spath
``` data emulation above ```
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
10-05-2024
01:01 AM
This is not a complete event. If you don't want to provide that, perhaps you could tell us what fields have already been extracted?
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Get Updates on the Splunk Community!
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Unlock What’s Next: The Splunk Cloud Platform at .conf25
In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...
