Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Querying log events based on field values nested inside a escaped raw JSON property

btsr
Explorer
‎04-19-2023 04:36 PM

Hi, I need some help with querying log events based on field values nested inside a escaped raw JSON object property. Below screenshot represents the complete JSON log event in "Show syntax highlighted" mode. I need to filter events based on properties in the parent JSON object and also combine field values from msg.object which is also a proper JSON object.

I tried rex, spath but couldn't filter the events the way I need. Any help is appreciated. Thanks.

I am looking for a query to filter events matching the highlighted fields in the Splunk event log screenshot. This is for a dashboard with dropdowns for app, clientName, requestType, and state fields. I should be able to filter the log events based on dropdown selection.

index=x05_dev app=mock-app msg.detail{}.value=value1 | search msg.object.headers.requestType="basic" | search msg.object.body.client.clientName="XyzClient" | search msg.object.body.order.details[*].address.state="MN"

Sample Splunk Log EventSample Splunk Log Event

Labels (2)
Labels
0 Karma
Reply

yeahnah
Motivator
‎04-19-2023 04:54 PM

Hi @btsr 

Can you provide the raw JSON as a code sample as this makes it easier to provide a working example that shows you what you need to do using SPL.

yeahnah_0-1681948314914.png

On a side note, you should look at cleaning this data up before it is ingested - basically object is showing the HTML code for a double quote - " = &#34.

0 Karma
Reply

btsr
Explorer
‎04-19-2023 05:18 PM

I think we need to get the msg.object and replace all HTML codes to double quotes on the fly to make a valid JSON before querying further. 

 

{
  "app": "mock-app",
  "sessionId": "71cde99f-faa9-47df-99d4-97b81b39275b",
  "msg": {
    "event": "response",
    "status": "success",
    "details": [
      {
        "key": "key1",
        "value": "value1"
      }
    ],
    "method": "post",
    "object":{
      \u0026#34;headers\u0026#34;: {
        \u0026#34;content-length\u0026#34;: \u0026#34;225\u0026#34;,
        \u0026#34;requestType\u0026#34;: \u0026#34;basic\u0026#34;
      },
      \u0026#34;body\u0026#34;: {
        \\\u0026#34;client\\\u0026#34;: {
            \\\u0026#34;clientName\\\u0026#34;: \\\u0026#34;XyzClient\\\u0026#34;
        },
        \\\u0026#34;order\\\u0026#34;: {
            \\\u0026#34;number\\\u0026#34;: \\\u0026#34;551270009\\\u0026#34;,
            \\\u0026#34;details\\\u0026#34;: [
            {
                \\\u0026#34;item\\\u0026#34;: \\\u0026#34;product\\\u0026#34;,
                \\\u0026#34;address\\\u0026#34;: {
                  \\\u0026#34;street\\\u0026#34;: \\\u0026#34;Main St\\\u0026#34;,
                  \\\u0026#34;zip\\\u0026#34;: \\\u0026#34;12345\\\u0026#34;,
                  \\\u0026#34;state\\\u0026#34;: \\\u0026#34;MN\u0026#34;,
                \\\u0026#34;city\\\u0026#34;: \\\u0026#34;XyzCity\\\u0026#34;
            }
          }
        ]
      }
    }  
    }
  }
}

 

0 Karma
Reply

btsr
Explorer
‎04-19-2023 05:10 PM

Thanks @yeahnah, the msg.object field is ingested with HTML code like shown in the screenshot by the Splunk team to allow different teams to use it for different free form JSON format. If I click on "Show as Raw Text" in Splunk, it is replacing all ampersand symbol with \u0026

0 Karma
Reply

yeahnah
Motivator
‎04-19-2023 06:01 PM

Hi @btsr 

Try adding this sed character replacement using the rex command, which should normalise the escaped code in the msg.object back to double quotes expected for JSON formats, then spath will pull the kv fields out of the JSON event again

 

... your search ...
| rex mode=sed "s/(\\\)*u0026#34;/\"/g"
| spath msg.object
| ... more SPL, as needed ...

 

 Hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Top