Solved: Re: Unable to query on multiple extracted fields

sivathemass · ‎06-19-2020

I've a log like below and I want to extract the fields "country", "currency"

"{"id":1, "message":"country=US&currency=USD"}.

I wrote SPL
index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value

After extracting the fields, I can search based on only one field.
This works .
index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value | search country=US

This does not work
index="main"| rex max_match=0 field=message "(?<key>\w+)=(?<value>[^&]+)" | eval z=mvzip(key, value, "~") | mvexpand z | rex field=z "(?<key>[^~]+)~(?<value>.*)" | eval {key} = value | search country="US" AND currency="USD".

It yields 0 results
Any pointers please?

to4kawa · ‎06-20-2020

| makeresults 
| eval _raw="{\"id\":1, \"message\":\"country=US&currency=USD\"}"
| spath
| spath message output=message
| rename message as _raw
| extract

rename to _raw is trick.

View solution in original post

to4kawa · ‎06-20-2020

| makeresults 
| eval _raw="{\"id\":1, \"message\":\"country=US&currency=USD\"}"
| spath
| spath message output=message
| rename message as _raw
| extract

rename to _raw is trick.

Unable to query on multiple extracted fields

search job inspector

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms