Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using spath with Sequentially Numbered JSON Keys

cw
Engager
‎04-25-2021 07:40 PM

I'm trying to create a simple table from the following JSON data, and I only care about extracting three particular values: trap_recieved_ts, cctConfigChangeType, and cctDeviceLabel

 

{
  "trap_destination_ip": "1.2.3.4",
  "trap_recieved_epoch": "1234567890",
  "trap_recieved_ts": "2021-04-08 14:17:32",
  "trap_source_ip": "1.2.3.4",
  "traps": [
    {
      "DISMAN-EVENT-MIB::sysUpTimeInstance": "2:2:49:18.49",
      "ETV-Agent-MIB::cctConfigChangeTrapSequenceNumber.17": "Wrong Type (should be Counter32): 17",
      "ETV-Agent-MIB::cctConfigChangeType.17": "Switchover",
      "ETV-Agent-MIB::cctDeviceLabel.17": "HOSTNAME",
      "SNMP-COMMUNITY-MIB::snmpTrapAddress.0": "1.2.3.4",
      "SNMP-COMMUNITY-MIB::snmpTrapCommunity.0": "public",
      "SNMPv2-MIB::snmpTrapEnterprise.0": "ETV-Agent-MIB::cctConfigChangeTrapTable",
      "SNMPv2-MIB::snmpTrapOID.0": "ETV-Agent-MIB::cctSingleConfigChangeTrap"
    }
  ]
}

 

The first issue I'm running into is with the .17, which increments with every new data point. The dot forces Splunk to treat the 17 as a new object in the path, and the fact that it increments prevents be from statically defining the key in my search string.

index=index
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps.ETV-Agent-MIB::cctConfigChangeType.17
| spath output=device path=traps.ETV-Agent-MIB::cctDeviceLabel.17
| table time alert device

 

I've read that I should be able to do the following in order to identify the two problematic keys I'm interested in, but Splunk seems to just disregard the {}

 

index=index
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps{2}
| spath output=device path=traps{3}
| table time alert device

 

Any suggestions?

Labels (1)
Labels
Tags (5)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-26-2021 01:42 AM

Remove the numbering before the spath (and take into account the traps is a collection)

| rex mode=sed "s/(:cctConfigChangeTrapSequenceNumber)\.\d+/\1/g"
| rex mode=sed "s/(:cctConfigChangeType)\.\d+/\1/g"
| rex mode=sed "s/(:cctDeviceLabel)\.\d+/\1/g"
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps{}.ETV-Agent-MIB::cctConfigChangeType
| spath output=device path=traps{}.ETV-Agent-MIB::cctDeviceLabel
| table time alert device

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-26-2021 01:42 AM

Remove the numbering before the spath (and take into account the traps is a collection)

| rex mode=sed "s/(:cctConfigChangeTrapSequenceNumber)\.\d+/\1/g"
| rex mode=sed "s/(:cctConfigChangeType)\.\d+/\1/g"
| rex mode=sed "s/(:cctDeviceLabel)\.\d+/\1/g"
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps{}.ETV-Agent-MIB::cctConfigChangeType
| spath output=device path=traps{}.ETV-Agent-MIB::cctDeviceLabel
| table time alert device
Reply
Solved! Jump to solution

cw
Engager
‎04-26-2021 08:10 PM

This worked perfectly. Thanks @ITWhisperer

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎04-25-2021 09:21 PM

hi @cw,

Just try with spath and assign output field values to new fields.

| makeresults 
| eval _raw="{
  \"trap_destination_ip\": \"1.2.3.4\",
  \"trap_recieved_epoch\": \"1234567890\",
  \"trap_recieved_ts\": \"2021-04-08 14:17:32\",
  \"trap_source_ip\": \"1.2.3.4\",
  \"traps\": [
    {
      \"DISMAN-EVENT-MIB::sysUpTimeInstance\": \"2:2:49:18.49\",
      \"ETV-Agent-MIB::cctConfigChangeTrapSequenceNumber.17\": \"Wrong Type (should be Counter32): 17\",
      \"ETV-Agent-MIB::cctConfigChangeType.17\": \"Switchover\",
      \"ETV-Agent-MIB::cctDeviceLabel.17\": \"HOSTNAME\",
      \"SNMP-COMMUNITY-MIB::snmpTrapAddress.0\": \"1.2.3.4\",
      \"SNMP-COMMUNITY-MIB::snmpTrapCommunity.0\": \"public\",
      \"SNMPv2-MIB::snmpTrapEnterprise.0\": \"ETV-Agent-MIB::cctConfigChangeTrapTable\",
      \"SNMPv2-MIB::snmpTrapOID.0\": \"ETV-Agent-MIB::cctSingleConfigChangeTrap\"
            }
  ]
}" 
| spath 
| eval time=trap_recieved_ts, device='traps{}.ETV-Agent-MIB::cctDeviceLabel.17', alert='traps{}.ETV-Agent-MIB::cctConfigChangeType.17' 
| table time alert device

 

If this reply helps you, a like would be appreciated.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...