Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Working with colon (:) and period (.) with spath

JKEverything
New Member
‎06-05-2024 12:41 PM

I have a field payload containing the following JSON:

 

{
    "cacheStats": {
        "lds:UiApi.getRecord": {
            "hits": 0,
            "misses": 1
        }
}

 



I can normally use spath to retrieve the hits and misses values:

 

cacheRecordHit=spath(payload,"cacheStats.someCacheProperty.hits")

 



But it seems the period and possibly the colon of the lds:UiApi.getRecord property are preventing it from navigating the JSON, such that:

 

| eval cacheRecordHit=spath(payload,"cacheStats.lds:UiApi.getRecord.hits")

 

 
returns no data.  I have tried the solution in this answer:

 

| spath path=payload output=convertedPayload
| eval convertedPayload=replace(convertedPayload,"lds:UiApi.getRecord","lds_UiApi_getRecord") 
| eval cacheRecordHit=spath(convertedPayload,"cacheStats.lds:UiApi.getRecord.hits")
| stats count,sum(hits)

 


but hits still returns as null.

Appreciate any insights.  🤝

Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎06-06-2024 10:34 PM

There are many ways to get the results, as @bowesmana and @emdaax show.  One more alternative is json_extract_exact (JSON functions were introduced in 8.1)

| eval hits = json_extract(json_extract_exact(json_extract(payload, "cacheStats"), "lds:UiApi.getRecord"), "hits")

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎06-05-2024 08:10 PM

Use this

| spath input=payload
| rename cacheStats.lds:UiApi.getRecord.* as *

with or without the rename, but unless you rename, remember you need to wrap those fields in single quotes if you want to use them in subsequent eval statements (right hand side)

 

0 Karma
Reply

emdaax
Explorer
‎06-05-2024 01:45 PM

Hi @JKEverything 

Unfortunately, it seems that Splunk has problems using spath when names contain dots, so extracting the "lds
.getRecord" part and splitting it might not be that easy.

However, you can try the following workaround:

 

| makeresults
| eval payload = "{\"cacheStats\": {\"lds:UiApi.getRecord\": {\"hits\": 2, \"misses\": 1}}}"
| spath input=payload output=cacheStats path=cacheStats
| eval cacheStats = replace(cacheStats, "lds:UiApi.getRecord", "lds:UiApi_getRecord")
| spath input=cacheStats path="lds:UiApi_getRecord.hits" output=hits
| spath input=cacheStats path="lds:UiApi_getRecord.misses" output=misses

 

This would be a workaround for your use case.

P.S.: Karma points are always appreciated 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top