Re: Splunk Query

payyachamy · ‎05-10-2022

I have the logs in this way :

   measures: {
     API.V1.WEBS_ENTITLED_PRODUCTS: 296
     success: 300
   }

what can be the query so that i can display the field " API.V1.WEBS_ENTITLED_PRODUCTS" and not its value.

I want the output as "API.V1.WEBS_ENTITLED_PRODUCTS"

gcusello · ‎05-10-2022

you could use a regex like the following:

your_search
| rex "measures:\s+\{\s+(?<your_field>[^:]+)"

that you can test at https://regex101.com/r/0uOTvQ/1

Ciao.

Giuseppe

payyachamy · ‎05-10-2022

your_search
| rex "measures:\s+\{\s+(?<your_field>[^:]+)"

but the issue with this query is this particular field keeps on changing, so the query should be dynamic to pick the field which is coming in.

PickleRick · ‎05-10-2022

And what would be the criteria for selecting this particular event? Do you have this field parsed out of the event?

payyachamy · ‎05-10-2022

measures: {
     API.V1.WEBS_ENTITLED_PRODUCTS: 296
     success: 300
   }
   metadata: {
     downlink: 10
     effectiveType: 4g
   }
   name: WIDGET_LOAD.PIU

the thing here is I need a query which shows the API that is responsible for a widget load.

so I need a table which shows :

WIDGET. | API

-------------------------------------------------------------------

WIDGET_LOAD.PIU |. API.V1.WEBS_ENTITLED_PRODUCTS

PickleRick · ‎05-10-2022

Unfortunately, splunk has very limited event-level introspection capacities so you have to parse out the field name from the raw event on your own. If your event structure is relatively strict, it should be possible with regexes similarily to what @gcusello showed.

What can be the query so that i can display the field " API.V1.WEBS_ENTITLED_PRODUCTS" and not its value?

field extraction

fields

stats

table

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector