not able to search with any attribute which are having .(dot) like env.cookieSize
NOT WORKING
------------------
index="ss-prd-dkp" "*price?sailingId=IC20240810¤cyIso=USD&categoryId=pt_internet" | spath status | search status=500 | spath "context.duration" | search "context.duration"="428.70000000006985"| spath "context.env.cookiesSize" | search "context.env.cookiesSize"=7670
WORKING
index="ss-prd-dkp" "*price?sailingId=IC20240810¤cyIso=USD&categoryId=pt_internet" | spath status | search status=500 | spath "context.duration" | search "context.duration"="428.70000000006985"
Let me know the solution for this
context: { [-]
duration: 428.70000000006985
env.automation-bot: false
env.cookiesSize: 7670
env.laneColor: blue
}
Use single quote to protect field names when there is some undesirable side effects from flattened JSON path. (search command cannot finesse this, unfortunately.)
index="ss-prd-dkp" "*price?sailingId=IC20240810¤cyIso=USD&categoryId=pt_internet"
| where status=500 AND 'context.duration' == 428.70000000006985
AND 'context.env.cookiesSize' == 7670
But note:
how we can filter it with providing the value 7670
Try using the json_extract_exact function (which doesn't use paths and therefore avoids the issue of keys looking like paths.
| spath context
| eval cookiesSize=json_extract_exact(context, "env.cookiesSize")