Splunk Search

Splunk search does not return event data when there is multiple json in same event

karthi25
Path Finder

I have a created a splunk alert when there is a failure occurs. I have query as follows:

index=* source=*** |spath path=TestLog.TestFailureLog.appName output=APPNAME|spath path=TestLog.TestFailureLog.eventType output=EVENTTYPE|spath path=TestLog.TestFailureLog.payload.level output=LEVEL|spath path=TestLog.TestFailureLog.payload.failureCount output=FAILURECOUNT|spath path=TestLog.TestFailureLog.payload.errorDescription output=ERRORDESCRIPTION|where APPNAME!="" and LEVEL="ERROR"|table APPNAME,EVENTTYPE,LEVEL,FAILURECOUNT,ERRORDESCRIPTION

It is working fine when I have single jsonobject per event in the log . For eg:
If I have Data like below:

alt text

But, if in case I have both success and failure log in the same event, that particular event is vomited and it returns all the remaining failure logs.

alt text

Can Anyone please suggest me the solution for it.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@karthi25

Can you please try below search? I have split events as expected. For that, I have added || using replace tp split events. Here Might be you need to change values}\n{ to your_brackates.

<<YOUR_host_source_sourcetype>>
| fields _time _raw
| eval data = replace(_raw,"}\n{","}||{") 
| eval data = split(data,"||") 
| mvexpand data | eval _raw=data | kv | table TestSplunkLog.*

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

@karthi25

Can you please try below search? I have split events as expected. For that, I have added || using replace tp split events. Here Might be you need to change values}\n{ to your_brackates.

<<YOUR_host_source_sourcetype>>
| fields _time _raw
| eval data = replace(_raw,"}\n{","}||{") 
| eval data = split(data,"||") 
| mvexpand data | eval _raw=data | kv | table TestSplunkLog.*

Thanks

View solution in original post

karthi25
Path Finder

@kamlesh_vaghela finally it works, Thanks a lot.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@karthi25
Great.

Please upvote and accept this answer to close this question.

Happy Splunking

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@karthi25
It seems your given JSON is invalid. Can you please share actual event having multiple logs? Don't beautify JSON share it as it is.

0 Karma

karthi25
Path Finder

@kamlesh_vaghela Thanks for your response.I have updated my question. Please look in to it. Kindly let me know, if you found anything. Since, these logs are from other sources, I can't change the logging format .

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Thanks, @karthi25 for updating question. Is it ok if you share 2nd event in text format? So we can work on those samples to help you. Use Code Sample ( 5th icon in above panel) for same. update confidential values with a dummy value.

0 Karma

karthi25
Path Finder

@kamlesh_vaghela Sure. Please find the text format for the 2nd event below:

{
"TestSplunkLog" : {
"TestSuccessLog" : {
"appName" : "Testsscount",
"eventType" : "event1",
"payload" : {
"level" : "INFO",
"startTime" : "2019-02-21 18:02:58",
"sourceCount" : 0,
"successCount" : 0,
"duplicateCount" : 0,
"publishedCount" : 0,
"endTime" : "2019-02-21 18:02:59"
}
}
}
}
{
"TestSplunkLog" : {
"TestFailureLog" : {
"appName" : "Testsscount",
"eventType" : "event1",
"payload" : {
"level" : "ERROR",
"startTime" : "2019-02-21 18:02:58",
"failureCount" : 0,
"errorCode" : 17002,
"errorDescription" : "IO Error: Unknown host specified ",
"failureIdList" : [ ],
"endTime" : "2019-02-21 18:02:59"
}
}
}
}
Collapse
host = *** source =*** sourcetype =***

0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!