Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Want To extract values from query output and create a table

RKP
Loves-to-Learn Everything
‎08-02-2024 03:19 AM

Here is the my output data. i want to create a table for path and responsetime . can you please help.

Expecting output is below:

path                                                                                     responsetime

/rkedgeapp/provider/dental/keysearch/           156

 

{"time": 1722582494370,"host1": "arn:aws:firehose:ca-central-1:2222222:deliverystream/Splunk-Kinesis-apigateway-CA","source1": "rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl6e/prod","event": "{ \"requestId\":\"d85fa529-3979-44a3-9018-21f81e12eafd\", \"ip\": \"40.82.191.190\", \"caller\":\"-\", \"user\":\"-\",\"requestTime\":\"02/Aug/2024:07:08:14 +0000\", \"httpMethod\":\"POST\",\"resourcePath\":\"/{proxy+}\", \"status\":\"200\",\"protocol\":\"HTTP/1.1\", \"responseLength\":\"573\", \"clientCertIssuerDN\":\"C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Organization Validation Secure Server CA\", \"clientCertSerialNumber\":\"22210811239199552309700144370732535146\", \"clientCertNotBefore\":\"Jan 22 00:00:00 2024 GMT\", \"clientCertNotAfter\":\"Jan 21 23:59:59 2025 GMT\", \"path\":\"/rkedgeapp/provider/dental/keysearch/\", \"responsetime\":\"156\" }"}

Labels (1)
Labels
0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 03:46 AM

Below  query is giving the 3000 events like that, how can i make this command work for that. can please give the straight command.

index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod"

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 03:34 AM 
| makeresults 
| eval _raw="{\"time\": 1722582494370,\"host1\": \"arn:aws:firehose:ca-central-1:2222222:deliverystream/Splunk-Kinesis-apigateway-CA\",\"source1\": \"rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl6e/prod\",\"event\": \"{ \\\"requestId\\\":\\\"d85fa529-3979-44a3-9018-21f81e12eafd\\\", \\\"ip\\\": \\\"40.82.191.190\\\", \\\"caller\\\":\\\"-\\\", \\\"user\\\":\\\"-\\\",\\\"requestTime\\\":\\\"02/Aug/2024:07:08:14 +0000\\\", \\\"httpMethod\\\":\\\"POST\\\",\\\"resourcePath\\\":\\\"/{proxy+}\\\", \\\"status\\\":\\\"200\\\",\\\"protocol\\\":\\\"HTTP/1.1\\\", \\\"responseLength\\\":\\\"573\\\", \\\"clientCertIssuerDN\\\":\\\"C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Organization Validation Secure Server CA\\\", \\\"clientCertSerialNumber\\\":\\\"22210811239199552309700144370732535146\\\", \\\"clientCertNotBefore\\\":\\\"Jan 22 00:00:00 2024 GMT\\\", \\\"clientCertNotAfter\\\":\\\"Jan 21 23:59:59 2025 GMT\\\", \\\"path\\\":\\\"/rkedgeapp/provider/dental/keysearch/\\\", \\\"responsetime\\\":\\\"156\\\" }\"}"
``` the line above recreate your sample event ```
| spath
| spath input=event
| table path responsetime
0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 03:55 AM

Below  query is giving the 3000 events like that, how can i make this command work for that. can please give the straight command.

index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod"

Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 04:05 AM

Try something like this

index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod"
| spath
| spath input=event
| table path responsetime

 You may not need the first spath command if your ingestion path already recognises JSON data format.

0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 04:26 AM

Its giving same output which i provided 1st.

{"time": 1722597668055,"host1": "arn:aws:firehose:ca-central-1:2222:deliverystream/Splunk-Kinesis-apigateway-CA","source1": "manuuatedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl6e/prod","event": "{ \"requestId\":\"dffc1e08-83d7-4801-b10d-239efd1b7f7d\", \"ip\": \"40.82.191.190\", \"caller\":\"-\", \"user\":\"-\",\"requestTime\":\"02/Aug/2024:11:21:08 +0000\", \"httpMethod\":\"POST\",\"resourcePath\":\"/{proxy+}\", \"status\":\"200\",\"protocol\":\"HTTP/1.1\", \"responseLength\":\"573\", \"clientCertIssuerDN\":\"C=GB,ST=Greater Manchester,L=Salford,O=Sectigo Limited,CN=Sectigo RSA Organization Validation Secure Server CA\", \"clientCertSerialNumber\":\"22210811239199552309700144370732535146\", \"clientCertNotBefore\":\"Jan 22 00:00:00 2024 GMT\", \"clientCertNotAfter\":\"Jan 21 23:59:59 2025 GMT\", \"path\":\"/rkedgeapp/provider/dental/keysearch/\", \"responsetime\":\"172\" }"}
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 04:33 AM

What is this that you have just shown? Please provide a screenshot

0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 04:44 AM

RKP_0-1722599050923.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 04:55 AM

What do you get if you do this

index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod"
| table event
0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 05:04 AM

RKP_0-1722600240785.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 05:07 AM

What about when you do this?

index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod"
| spath input=event
0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 05:18 AM

RKP_0-1722601111019.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 05:31 AM

Try this

index="aws-apigateway" source1="rkedgevil-restapi-Access-Logs:API-Gateway-Access-Logs_8o2y6hzl/prod"
| spath input=event
| table *
0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 06:00 AM

Its showing most of the values but there is no path and responsetime

 

RKP_1-1722603588838.png

RKP_2-1722603652581.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 06:34 AM

Can you do the same but scroll the view to the right to show the fields beginning with "p"

0 Karma
Reply

RKP
Loves-to-Learn Everything
‎08-02-2024 04:14 AM

Getting empty tables.

RKP_0-1722597209244.pngRKP_1-1722597224751.png

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-02-2024 04:21 AM

Remove the table command and see what you get

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...