- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Splunk Create Fields from Field Values in Json...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am trying to create new field values from my json log base on the values that appear under a particular field
So here is an example
{
"widget": {
"text": [
{
"data": "Click here",
"size": 36
},
{
"data": "Learn more",
"size": 37
},
{
"data": "Help",
"size": 38
},
]
}
}So in my environment I currently have got widget{}.text{}.data as a field, however i would like to break it further and have
widget{}.text{}.data{}.ClickHere,
widget{}.text{}.data{}.Help,
widget{}.text{}.data{}.LearnMore as individual fields
I ask this because when we have thousands of logs and are looking for certain combinations, we have issues with filtering accurately, doing this will help us find the right combinations
Any assistance will be greatly appreciated,
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="{
\"widget\": {
\"text\": [
{
\"data\": \"Click here\",
\"size\": 36
},
{
\"data\": \"Learn more\",
\"size\": 37
},
{
\"data\": \"Help\",
\"size\": 38
},
]
}
}"
| rex max_match=0 "(?ms)(?<jsons>{\s*\"data.*?})"
| stats count by jsons
| spath input=jsons
| eval {data}=size
| table "Click here" Help "Learn more"
| stats values(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="{
\"widget\": {
\"text\": [
{
\"data\": \"Click here\",
\"size\": 36
},
{
\"data\": \"Learn more\",
\"size\": 37
},
{
\"data\": \"Help\",
\"size\": 38
},
]
}
}"
| rex max_match=0 "(?ms)(?<jsons>{\s*\"data.*?})"
| stats count by jsons
| spath input=jsons
| eval {data}=size
| table "Click here" Help "Learn more"
| stats values(*) as *
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for this, i will try it out on monday, it looks like it will work,
I've heard online about {} creating a new set of fields from field values
what is the purpose of using the rex? is that just to capture data into a new field so that we can use spath on it? is this part absolutely necessary?
if you could explain exactly what {data}=size does that will help me understand its real use for further scenarios,
Thanks again, looking forward to trying this out!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="{
\"widget\": {
\"text\": [
{
\"data\": \"Click here\",
\"size\": 36
},
{
\"data\": \"Learn more\",
\"size\": 37
},
{
\"data\": \"Help\",
\"size\": 38
},
]
}
}"
| spath
| rename widget.text{}.* as *
| eval tmp=mvzip(data,size)
| stats count by tmp
| eval data=mvindex(split(tmp,","),0), size=mvindex(split(tmp,","),1)
| xyseries count data size
| fields - count
1. I like rex to extract json array.(it's better to use mvzip,I guess)
2. see https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Eval#Field_names
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
