Solved: Re: Cannot use Fields Extracted from JSON by spath...

stricq · ‎02-08-2022

I cannot use any of the fields extracted by spath inside an eval. The result is always null.

Input: (formatted for easy reading)

{
  "meta": {
    "emit_interval_s": 600
  },
  "operations": {
    "kv": {
      "Get": {
        "total_count": 4,
        "percentiles_us": {
          "75": 17747.0,
          "95": 18706.0,
          "98": 18706.0,
          "99": 18706.0,
          "100": 18706.0
        }
      },
      "GetClusterConfig": {
        "total_count": 708,
        "percentiles_us": {
          "75": 13723.0,
          "95": 14339.550000000001,
          "98": 14567.56,
          "99": 18207.0,
          "100": 18207.0
        }
      },
      "GetMeta": {
        "total_count": 4,
        "percentiles_us": {
          "75": 15776.75,
          "95": 16761.0,
          "98": 16761.0,
          "99": 16761.0,
          "100": 16761.0
        }
      }
    }
  }
}

And this is query:

| spath input=json_field | eval a=operations.kv.Get.percentiles_us.100 | table json_field operations.kv.Get.percentiles_us.100 a

In the output, a is always null but the operations.kv.Get.percentiles_us.100 always displays the correct value.

What's happening here?

stricq · ‎02-08-2022

Of course, I've found the answer already. The trick is to use rename.

| rename operations.kv.Get.total_count as totalCount, operations.kv.Get.percentiles_us.100 as getPercentile100us | eval getPercentile100ms=(getPercentile100us/1000)

View solution in original post

stricq · ‎02-08-2022

Of course, I've found the answer already. The trick is to use rename.

| rename operations.kv.Get.total_count as totalCount, operations.kv.Get.percentiles_us.100 as getPercentile100us | eval getPercentile100ms=(getPercentile100us/1000)

Why do fields extracted from JSON by spath in eval result in null?

eval

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!

What’s New in Splunk Cloud Platform 9.1.2308?