Splunk Search

how to retrive channel code from this json request

splunk6
Path Finder

REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",

 

Below is my splunk query:

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST
|spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber
|mvexpand accountNumber
|spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber
|mvexpand serialNumber
|spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel
|mvexpand Channel
|spath input=RESPONSE
|spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory
|mvexpand redemptionEquipmentMemory
|spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber
|mvexpand transactionReferenceNumber
|table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber


splunk6_0-1714754429417.png

Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input.

please someone reply as it is very urgent to complete my work

 

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

splunk6
Path Finder

here is my complete data :


2024-05-02 23:40:22.000, ID="5e2276d3-7f02-7984-ad4b-e11507580872", ACCOUNTID="5", ACCOUNTNAME="prd", APPLICATIONID="6", APPLICATIONNAME="ws", REQUEST="{"body":{"customer":{"accountNumber":"DBC00089571590","lineNumber":"8604338"},"equipment":{"serialNumber":"359938615394762","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"WVMSKaul","storeNumber":"WD227907","dealerNumber":"2279"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"65E5519B-F170-4367-AA03-54A33BA29B4E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}", RESPONSE="{"body":{"model":{"isRedeemed":true,"transactionReferenceNumber":"6200753992","redeemType":"Original","redemptionFailureReasonType":null,"redemptionEquipmentMake":"Samsung","redemptionEquipmentModel":"Galaxy S21 FE 128GB Graphite","redemptionEquipmentMemory":"128 GB","committedPrice":1,"additionalFees":0},"code":200,"messages":null,"isSuccess":true},"headers":{"connection":"close","content-type":"application/json;charset=utf-8","set-cookie":["AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/","AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/;SECURE;SAMESITE=None","visid_incap_968152=gpkNFRF6QtKeSmDdY/9FWWUkNGYAAAAAQUIPAAAAAABmisXXPd3Y2+ulqGUibHZU; expires=Fri, 02 May 2025 07:12:03 GMT; HttpOnly; path=/; Domain=.likewize.com","nlbi_968152=FnwQGi3rMWk+u+PCILjsZwAAAACniSzzxzSlwTCqfbP87/10; path=/; Domain=.likewize.com","incap_ses_677_968152=2ZElDA77lnjppwgU8y9lCWUkNGYAAAAArXuktDctGDMtVtCwqfe5bw==; path=/; Domain=.likewize.com"],"content-length":"349","server":"Jetty(9.4.45.v20220203)"}}", RETRYNO="0", ENDPOINT="https://apptium.freedommobile.ca/Activation.TradeUp", OPERATION="/FPC/Redemption/Redeem", METHOD="POST", CONNECTORID="0748a993-4566-48ae-9885-2a4dce9de585", CONNECTORNAME="Likewize", CONNECTORTYPE="Application", CONNECTORSUBTYPE="REST", STARTTIME="1714693218282", ENDTIME="1714693222213", RESPONSETIME="3931", SUCCESS="1", CLIENT="eportal-services", CREATEDDATE="2024-05-02 23:40:22", USERNAME="WVMSKaul@wmbd.local", SESSIONID="_027c735b-30ed-472c-99e8-6d0748e5a7d9", ACTIONID="5c0a6f88-5a1e-4fdc-a454-01c53fdc0b9b", TRACKID="674e1eed-ba9e-429f-87fc-3b4773b7dd06"

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Now you see the importance of illustrating data accurately.  My could only give you channel because the only data snippet I could see has channel.  Now, you can see that accountNumber is a subnode in REQUEST.body.customer, serialNumber is a subnode in REQUEST.body.equipment, while redemptionEquipmentMemory and transactionReferenceNumber are those in RESPONSE.body.model.  Your initial data snippet already established that Channel is a subnode in REQUEST.headers.

All this is to say that to write the correct SPL, you need to understand data.  Before trying to render results, use SPL to help analyze data.

Now that you know where in the JSON structure each of those fields lies, you can just extract each node.  But doing so usually is too laborious and not good for maintenance and enhancement.  So, I will give a more flexible code

 

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST path=headers
| spath input=REQUEST path=body output=REQUEST
| spath input=RESPONSE path=body output=RESPONSE
| foreach headers REQUEST RESPONSE
    [spath input=<<FIELD>>]
```| spath input=RESPONSE path=headers.set-cookie{}
| mvexpand headers.set-cookie{}```
| foreach customer equipment model
    [rename <<FIELD>>.* AS *]
|table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber

 

This is an emulation of your sample data

 

| makeresults
| eval _raw = "2024-05-02 23:40:22.000, ID=\"5e2276d3-7f02-7984-ad4b-e11507580872\", ACCOUNTID=\"5\", ACCOUNTNAME=\"prd\", APPLICATIONID=\"6\", APPLICATIONNAME=\"ws\", REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC00089571590\",\"lineNumber\":\"8604338\"},\"equipment\":{\"serialNumber\":\"359938615394762\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"WVMSKaul\",\"storeNumber\":\"WD227907\",\"dealerNumber\":\"2279\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"65E5519B-F170-4367-AA03-54A33BA29B4E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\", RESPONSE=\"{\"body\":{\"model\":{\"isRedeemed\":true,\"transactionReferenceNumber\":\"6200753992\",\"redeemType\":\"Original\",\"redemptionFailureReasonType\":null,\"redemptionEquipmentMake\":\"Samsung\",\"redemptionEquipmentModel\":\"Galaxy S21 FE 128GB Graphite\",\"redemptionEquipmentMemory\":\"128 GB\",\"committedPrice\":1,\"additionalFees\":0},\"code\":200,\"messages\":null,\"isSuccess\":true},\"headers\":{\"connection\":\"close\",\"content-type\":\"application/json;charset=utf-8\",\"set-cookie\":[\"AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/\",\"AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/;SECURE;SAMESITE=None\",\"visid_incap_968152=gpkNFRF6QtKeSmDdY/9FWWUkNGYAAAAAQUIPAAAAAABmisXXPd3Y2+ulqGUibHZU; expires=Fri, 02 May 2025 07:12:03 GMT; HttpOnly; path=/; Domain=.likewize.com\",\"nlbi_968152=FnwQGi3rMWk+u+PCILjsZwAAAACniSzzxzSlwTCqfbP87/10; path=/; Domain=.likewize.com\",\"incap_ses_677_968152=2ZElDA77lnjppwgU8y9lCWUkNGYAAAAArXuktDctGDMtVtCwqfe5bw==; path=/; Domain=.likewize.com\"],\"content-length\":\"349\",\"server\":\"Jetty(9.4.45.v20220203)\"}}\", RETRYNO=\"0\", ENDPOINT=\"https://apptium.freedommobile.ca/Activation.TradeUp\", OPERATION=\"/FPC/Redemption/Redeem\", METHOD=\"POST\", CONNECTORID=\"0748a993-4566-48ae-9885-2a4dce9de585\", CONNECTORNAME=\"Likewize\", CONNECTORTYPE=\"Application\", CONNECTORSUBTYPE=\"REST\", STARTTIME=\"1714693218282\", ENDTIME=\"1714693222213\", RESPONSETIME=\"3931\", SUCCESS=\"1\", CLIENT=\"eportal-services\", CREATEDDATE=\"2024-05-02 23:40:22\", USERNAME=\"WVMSKaul@wmbd.local\", SESSIONID=\"_027c735b-30ed-472c-99e8-6d0748e5a7d9\", ACTIONID=\"5c0a6f88-5a1e-4fdc-a454-01c53fdc0b9b\", TRACKID=\"674e1eed-ba9e-429f-87fc-3b4773b7dd06\""
``` the above emulates
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
```

 

The output from emulated data is

accountNumberserialNumberChannelredemptionEquipmentMemorytransactionReferenceNumber
DBC000895715903599386153947626128 GB6200753992

Finally, I want to illustrate the most inflexible implementation, custom extraction of the needed fields directly

 

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST path=headers.Channel output=Channel
| spath input=REQUEST path=body.customer.accountNumber output=accountNumber
| spath input=REQUEST path=body.equipment.serialNumber output=serialNumber
| spath input=RESPONSE path=body.model.redemptionEquipmentMemory output=redemptionEquipmentMemory
| spath input=RESPONSE path=body.model.transactionReferenceNumber output=transactionReferenceNumber
| table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber

 

Since 8.1, you can also implement these one-to-one extractions using json_extract.

 

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| eval Channel = json_extract(REQUEST, "headers.Channel")
| eval accountNumber = json_extract(REQUEST, "body.customer.accountNumber")
| eval serialNumber = json_extract(REQUEST, "body.equipment.serialNumber")
| eval redemptionEquipmentMemory = json_extract(RESPONSE, "body.model.redemptionEquipmentMemory")
| eval transactionReferenceNumber = json_extract(RESPONSE, "body.model.transactionReferenceNumber")
| table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber

 

 

0 Karma

splunk6
Path Finder

Hi 

splunk6_0-1714769163572.png

 

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST
| rename headers.* AS *
|rename body.customer.* AS *
|rename body.equipment.serialNumber.* AS *
|rename body.model.redemptionEquipmentMemory.* AS *
|rename body.model.transactionReferenceNumber.* AS *
|table Channel accountNumber serialNumber redemptionEquipmentMemory transactionReferenceNumber

I have modified the query as u stated am getting only account number and channel code in my results not the other fields.

 

0 Karma

yuanliu
SplunkTrust
SplunkTrust

Do you mean you have a field named REQUEST with JSON data as illustrated, and want to have data like this:

field namefield value
body.customer.accountNumberDBC50012225699
body.customer.lineNumber5000654224
body.equipment.gradeA
body.equipment.serialNumber351643935649535
body.redemptionDetails.dealerNumberGW_STORE
body.redemptionDetails.redemptionDate20240502
body.redemptionDetails.storeNumberWCCA0105
body.redemptionDetails.userBMashiana
headers.Acceptapplication/json;charset=UTF-8
headers.ApplicationID00000411
headers.AuthorizationBasic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==
headers.Channel6
headers.Localeen-US
headers.TransactionIDE86B7D59-B3CC-401D-977F-65218248367E
headers.content-typeapplication/json;charset=UTF-8

where header.Channel has value 6?

REQUEST does not contain any array, why the complicated path?  All you need is

 

| spath input=REQUEST
| rename headers.* AS *

 

Here is an emulation based on your sample data.

 

| makeresults
| eval REQUEST="{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}"
``` the above emulates
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
```
| spath input=REQUEST
| rename headers.* AS *
| table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber

 

The output is

accountNumberserialNumberChannelredemptionEquipmentMemorytransactionReferenceNumber
  6  

Obviously I do not have RESPONSE data.  But play with it and compare with real REQUEST data.

0 Karma

splunk6
Path Finder

Hi 

Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.

splunk6_0-1715093528615.png

 

0 Karma

rafamss
Contributor

Hi @splunk6,

The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you.

To get all the matches of Channel: 

 

| makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex max_match=0 field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""

 

To get only one result for the channel (the first one) by search:

 

| makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""

 

rafamss_1-1714758808308.png

 

rafamss_0-1714758792640.png

 

Note: It's import to mention that I created the request field to add your REQUEST field value into the | makeresults, ok? In your code, you should use only the rex field=REQUEST with or without max_match=0.

I hope it helps you.

Happy splunking!

splunk6
Path Finder

Hi 

Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.

splunk6_0-1715093582725.png

My existing query is:

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\""
|spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber
|spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber
|spath input=REQUEST output=Channel path=headers{}.Channel
|spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory
|spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber
|table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo

 

0 Karma

splunk6
Path Finder

thanks i tried with using extracting the request and response using rex _raw and filtering the fields using spath

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is this now solved using answers to this question and your very similar question https://community.splunk.com/t5/Splunk-Search/how-to-retrieve-the-value-from-json-input-using-splunk...?

splunk6
Path Finder

Hi 

Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.

splunk6_0-1715093687630.png

 

My existing query is:

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\""
|spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber
|spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber
|spath input=REQUEST output=Channel path=headers{}.Channel
|spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory
|spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber
|table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo

0 Karma

PickleRick
SplunkTrust
SplunkTrust

No! Don't try to handle structured data with simple regexes. Unless you're very very very sure that the format is constant and it always will be (which is typically not something you can rely on since even the developers writing the solutions that produce such events don't know the exact order of fields that will be sent by their program) handling json or XML with regex is asking for trouble.

splunk6
Path Finder

is there any other way of handling json content for using rex command which would be much easier. although my request is not completely in a json format.

0 Karma

yuanliu
SplunkTrust
SplunkTrust

is there any other way of handling json content for using rex command which would be much easier. although my request is not completely in a json format.

You must understand why @PickleRick and I keep telling you not to try using rex to handle structured data like JSON: rex is the wrong tool because syntax is not bound by format in JSON.  The same semantics can be expressed by a million variants of format while conforming to the same syntax. {"ka":"va","kb":"vb"} is exactly the same as {"kb":"vb","ka":"va"}.  Any rex you develop will always be instable.  By insisting on using regex, i.e., treating structured data as pure text, you are just reinforcing some bad habit that will inhibit your abilities in the future.

splunk6
Path Finder

Hi 

Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.

splunk6_0-1715093498906.png

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust

1. Please, don't post the same content in several messages. It's enough to post it once. (also - text in a preformatted paragraph or code box is worth several screenshots).

2. For "please help asap" you go to your local Splunk consultants and pay for their services. This is a community-driven forum where people voluntarily help others. Remarks like this can have the opposite effect on their motivation to answer you.

0 Karma

splunk6
Path Finder

sure . Will take this. Thanks for your feedback

0 Karma

splunk6
Path Finder

My existing query is :

index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\""
|spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber
|spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber
|spath input=REQUEST output=Channel path=headers{}.Channel
|spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory
|spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber
|table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...