Splunk Search

Using spath with Sequentially Numbered JSON Keys

cw
Engager

I'm trying to create a simple table from the following JSON data, and I only care about extracting three particular values: trap_recieved_ts, cctConfigChangeType, and cctDeviceLabel

 

{
  "trap_destination_ip": "1.2.3.4",
  "trap_recieved_epoch": "1234567890",
  "trap_recieved_ts": "2021-04-08 14:17:32",
  "trap_source_ip": "1.2.3.4",
  "traps": [
    {
      "DISMAN-EVENT-MIB::sysUpTimeInstance": "2:2:49:18.49",
      "ETV-Agent-MIB::cctConfigChangeTrapSequenceNumber.17": "Wrong Type (should be Counter32): 17",
      "ETV-Agent-MIB::cctConfigChangeType.17": "Switchover",
      "ETV-Agent-MIB::cctDeviceLabel.17": "HOSTNAME",
      "SNMP-COMMUNITY-MIB::snmpTrapAddress.0": "1.2.3.4",
      "SNMP-COMMUNITY-MIB::snmpTrapCommunity.0": "public",
      "SNMPv2-MIB::snmpTrapEnterprise.0": "ETV-Agent-MIB::cctConfigChangeTrapTable",
      "SNMPv2-MIB::snmpTrapOID.0": "ETV-Agent-MIB::cctSingleConfigChangeTrap"
    }
  ]
}

 

The first issue I'm running into is with the .17, which increments with every new data point. The dot forces Splunk to treat the 17 as a new object in the path, and the fact that it increments prevents be from statically defining the key in my search string.

index=index
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps.ETV-Agent-MIB::cctConfigChangeType.17
| spath output=device path=traps.ETV-Agent-MIB::cctDeviceLabel.17
| table time alert device

 

I've read that I should be able to do the following in order to identify the two problematic keys I'm interested in, but Splunk seems to just disregard the {}

 

index=index
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps{2}
| spath output=device path=traps{3}
| table time alert device

 

Any suggestions?

Labels (1)
Tags (5)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Remove the numbering before the spath (and take into account the traps is a collection)

| rex mode=sed "s/(:cctConfigChangeTrapSequenceNumber)\.\d+/\1/g"
| rex mode=sed "s/(:cctConfigChangeType)\.\d+/\1/g"
| rex mode=sed "s/(:cctDeviceLabel)\.\d+/\1/g"
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps{}.ETV-Agent-MIB::cctConfigChangeType
| spath output=device path=traps{}.ETV-Agent-MIB::cctDeviceLabel
| table time alert device

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Remove the numbering before the spath (and take into account the traps is a collection)

| rex mode=sed "s/(:cctConfigChangeTrapSequenceNumber)\.\d+/\1/g"
| rex mode=sed "s/(:cctConfigChangeType)\.\d+/\1/g"
| rex mode=sed "s/(:cctDeviceLabel)\.\d+/\1/g"
| spath output=time path=trap_recieved_ts
| spath output=alert path=traps{}.ETV-Agent-MIB::cctConfigChangeType
| spath output=device path=traps{}.ETV-Agent-MIB::cctDeviceLabel
| table time alert device

cw
Engager

This worked perfectly. Thanks @ITWhisperer

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

hi @cw,

Just try with spath and assign output field values to new fields.

| makeresults 
| eval _raw="{
  \"trap_destination_ip\": \"1.2.3.4\",
  \"trap_recieved_epoch\": \"1234567890\",
  \"trap_recieved_ts\": \"2021-04-08 14:17:32\",
  \"trap_source_ip\": \"1.2.3.4\",
  \"traps\": [
    {
      \"DISMAN-EVENT-MIB::sysUpTimeInstance\": \"2:2:49:18.49\",
      \"ETV-Agent-MIB::cctConfigChangeTrapSequenceNumber.17\": \"Wrong Type (should be Counter32): 17\",
      \"ETV-Agent-MIB::cctConfigChangeType.17\": \"Switchover\",
      \"ETV-Agent-MIB::cctDeviceLabel.17\": \"HOSTNAME\",
      \"SNMP-COMMUNITY-MIB::snmpTrapAddress.0\": \"1.2.3.4\",
      \"SNMP-COMMUNITY-MIB::snmpTrapCommunity.0\": \"public\",
      \"SNMPv2-MIB::snmpTrapEnterprise.0\": \"ETV-Agent-MIB::cctConfigChangeTrapTable\",
      \"SNMPv2-MIB::snmpTrapOID.0\": \"ETV-Agent-MIB::cctSingleConfigChangeTrap\"
            }
  ]
}" 
| spath 
| eval time=trap_recieved_ts, device='traps{}.ETV-Agent-MIB::cctDeviceLabel.17', alert='traps{}.ETV-Agent-MIB::cctConfigChangeType.17' 
| table time alert device

 

If this reply helps you, a like would be appreciated.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...