Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my search not pulling all results from a log in JSON format?

janis_berzins
Engager
‎01-21-2016 04:06 AM

I need some help writing a search that can do the following things:

The log file below needs to be interrogated and the mean ElapsedTimeMs needs to be output for a given set of tests.

In the case shown below, that would be all InsertInvoice tests.

I need the lowest and highest values to be discarded from the calculation.

I also need to know the number of tests that were run for each set – i.e. how many Insertinvoice results that there are (excluding the highest and lowest value containing ones).

My Search:

source="PerfTester_20-11-2015.txt20-11-2015.txt" host="sh1.tungsten.splunkcloud.com" index="genesis" sourcetype="GenesisPerfTest" 
| spath
| rename message.TestName AS TestNameTop, message.Results{}.TestName AS TestName, message.Results{}.ElapsedTimeMs AS ElapsedTimeMs, message.Results{}.Notes AS TestNotes 
| eval x=mvzip(TestName,ElapsedTimeMs,TestNotes)
| dedup x
| search TestName="InsertInvoice"
| table ElapsedTimeMs, TestNotes, TestName

For some reason, this search returns me all the results, but 3 times.

I suspect that the log is not formatted in correct way. The results array might bee missing object names like something that is used in the Notes object.

Example log:

{
    "date": "2015-11-20T10:27:07",
    "UID": "(null)",
    "SID": "(null)",
    "logger": "GENESIS.PERFTEST",
    "message": {
        "TestName": "InsertInvoice",
        "Notes": "Starting Insert testing with 10 tests",
        "Start": "2015-11-20T10:26:15.0825842+00:00",
        "End": "2015-11-20T10:27:07.5897673+00:00",
        "ElapsedTimeMs": 52499,
        "Results": [{
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 1",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 16245,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 10",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 35510,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 2",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 305,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 3",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 64,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 4",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 86,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 5",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 63,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 6",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 56,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 7",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 65,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 8",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 54,
            "Results": null
        },
        {
            "TestName": "InsertInvoice",
            "Notes": "Inserted invoice with InvoiceNumber 9",
            "Start": null,
            "End": null,
            "ElapsedTimeMs": 51,
            "Results": null
        }]
    }
}
Tags (3)
0 Karma
Reply

javiergn
Super Champion
‎01-21-2016 09:31 AM

The following works for me (you can copy and paste it into your search GUI, the logic is at the bottom):

| stats count
| eval myjson = "{
\"date\": \"2015-11-20T10:27:07\",
\"UID\": \"(null)\",
\"SID\": \"(null)\",
\"logger\": \"GENESIS.PERFTEST\",
\"message\": {
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Starting Insert testing with 10 tests\",
\"Start\": \"2015-11-20T10:26:15.0825842+00:00\",
\"End\": \"2015-11-20T10:27:07.5897673+00:00\",
\"ElapsedTimeMs\": 52499,
\"Results\": [{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 1\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 16245,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 10\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 35510,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 2\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 305,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 3\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 64,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 4\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 86,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 5\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 63,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 6\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 56,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 7\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 65,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 8\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 54,
\"Results\": null
},
{
\"TestName\": \"InsertInvoice\",
\"Notes\": \"Inserted invoice with InvoiceNumber 9\",
\"Start\": null,
\"End\": null,
\"ElapsedTimeMs\": 51,
\"Results\": null
}]
}
}"
| spath input=myjson
| fields *ElapsedTimeMs
| rename message.ElapsedTimeMs AS TotalElapsedTimeMs, message.Results{}.ElapsedTimeMs AS TestElapsedTimeMs
| mvexpand TestElapsedTimeMs
| sort 0 num(TestElapsedTimeMs)
| stats list(TestElapsedTimeMs) as TestElapsedTimeMs by TotalElapsedTimeMs
| eval TestElapsedTimeMs_NoMaxMin=mvindex(TestElapsedTimeMs, 1, mvcount(TestElapsedTimeMs)-2)
| stats 
    list(TotalElapsedTimeMs) as TotalElapsedTimeMs,
    list(TestElapsedTimeMs) as TestElapsedTimeMs, 
    avg(TestElapsedTimeMs) as Avg_TestElapsedTimeMs,
    list(TestElapsedTimeMs_NoMaxMin) as TestElapsedTimeMs_NoMaxMin, 
    avg(TestElapsedTimeMs_NoMaxMin) as Avg_TestElapsedTimeMs_NoMaxMin

And this is the result I'm getting:

alt text

Preview file
35 KB
0 Karma
Reply

javiergn
Super Champion
‎01-26-2016 01:58 AM

I have added some extra logic above and pasted a screenshot with the results.
Hope that helps.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...