Splunk Search

Removing Single Fields From a List of Maps

steeleverint
Engager

Hi,

I have an event json similar to:

{"stages":[{"duration":12,"status":"Success","children":[{"test":"integration","result":"passed"},{"test":"regression","result":"failed"}]},{"duration":1.5,"status":"Success","children":[{"test":"unit","result":"passed"},{"test":"regression","result":"passed"}]},{"duration":3.1,"status":"Success","children":[{"test":"integration","result":"passed"},{"test":"unit","result":"failed"}]}]}

where children is a list of maps inside a list of maps.  The problem is that this list is so large that it exceeds the 10000 character limit.  I don't have admin access so cannot increase this limit.  What I would like to is remove the children field inside of each map in the stages list.  I've tried numerous attempts without any luck.  Anyone know of a way to do this?

Thanks

Labels (2)
0 Karma
1 Solution

to4kawa
Ultra Champion

 

index=_internal | head 1 |fields _raw
| eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}"
| spath stages{} output=stages
| stats count by stages
| streamstats count as session
| spath input=stages children{} output=child
| spath input=stages duration
| spath input=stages status
| stats values(duration) as duration values(status) as status by session child
| spath input=child
| fields - session child

 

You can make a table with it.

 

index=_internal | head 1 |fields _raw
| eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}"
| rex mode=sed "s/children\":\[.*?\]/children\":[]/g"

If you want to delete it, try this.

 

View solution in original post

0 Karma

to4kawa
Ultra Champion

 

index=_internal | head 1 |fields _raw
| eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}"
| spath stages{} output=stages
| stats count by stages
| streamstats count as session
| spath input=stages children{} output=child
| spath input=stages duration
| spath input=stages status
| stats values(duration) as duration values(status) as status by session child
| spath input=child
| fields - session child

 

You can make a table with it.

 

index=_internal | head 1 |fields _raw
| eval _raw="{\"stages\":[{\"duration\":12,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"failed\"}]},{\"duration\":1.5,\"status\":\"Success\",\"children\":[{\"test\":\"unit\",\"result\":\"passed\"},{\"test\":\"regression\",\"result\":\"passed\"}]},{\"duration\":3.1,\"status\":\"Success\",\"children\":[{\"test\":\"integration\",\"result\":\"passed\"},{\"test\":\"unit\",\"result\":\"failed\"}]}]}"
| rex mode=sed "s/children\":\[.*?\]/children\":[]/g"

If you want to delete it, try this.

 

0 Karma

steeleverint
Engager

Thanks.  That did the trick.  Just did a slight modification to remove the field altogether:

rex mode=sed "s/\"children\":\[.*?\],//g"

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...