Splunk Search

Splitting or searching a MV JSON

moseisleydk
Path Finder

I have a json array like:

How can I search or split that? The search:

index=jira "issues{}.fields.customfield_14028"=521 | head 1 | stats sum("issues{}.fields.customfield_14233") by "issues{}.fields.summary"

gives all issues....also where issues{}.fields.customfield_14028"<>521

Tags (1)
0 Karma

anishinha
New Member

is it possible to extract a field from a result contained in a JSON field?
Ex; result of field payment.log: {"data":{"lancto_dto_list":,"sld_dt":{"lim":10.00,"sld_disp":37.80,"disp":40.80}}}
I need the last field "disp".

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="payment.log: {\"data\":{\"lancto_dto_list\":,\"sld_dt\":{\"lim\":10.00,\"sld_disp\":37.80,\"disp\":40.80}}}"
| rex "disp.:(?<disp>[\d.]+)"
0 Karma

moseisleydk
Path Finder

Found it after some test and thanks to https://answers.splunk.com/answers/366957/how-do-i-get-splunk-to-extract-nested-json-arrays.html

index=jira | head 1 | spath output=x path=issues{} | fields - _raw | fields x | mvexpand x | spath input=x | rename fields{} as fields | mvexpand fields | search fields.customfield_14028=521 | table key,fields.summary,fields.customfield_12931.value,fields.customfield_12927,fields.customfield_14233,fields.customfield_12932.value,price

Give a nice table for all "events" where fields.customfield_14028=521

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @moseisleydk,

Can you please try this search?

index=jira "issues{}.fields.customfield_14028"=521 
| head 1 
| rename "issues{}.fields.customfield_14233" as customfield_14233, "issues{}.fields.summary" as summary
| eval tempField=mvzip(customfield_14233,summary) 
| stats count by _time,tempField
| eval customfield_14233=mvindex(split(tempField,","),0), summary=mvindex(split(tempField,","),1)
| stats sum(customfield_14233) by summary

Thanks

0 Karma

moseisleydk
Path Finder

Hi,

Thanks, it still "ignores" the

"issues{}.fields.customfield_14028"=521

and reports all issues, not only the

customfield_14028: 521

issues.

Kind Regards,

Normann

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Can you please share sample events? use 101010 for same.

0 Karma
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Think Like an Architect: Introducing the Splunk Certified Cybersecurity Defense ...

In cybersecurity, defenders respond to threats. Architects design the systems that stop them.    As ...

Best Practices: Splunk auto adjust pipeline queue

When you enable autoAdjustQueue in Splunk, maxSize should be understood as the queue size Splunk starts with ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...