REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",
Below is my splunk query:
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST
|spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber
|mvexpand accountNumber
|spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber
|mvexpand serialNumber
|spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel
|mvexpand Channel
|spath input=RESPONSE
|spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory
|mvexpand redemptionEquipmentMemory
|spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber
|mvexpand transactionReferenceNumber
|table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber
Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input.
please someone reply as it is very urgent to complete my work
Is this now solved using answers to this question and your very similar question https://community.splunk.com/t5/Splunk-Search/how-to-retrieve-the-value-from-json-input-using-splunk...?
here is my complete data :
2024-05-02 23:40:22.000, ID="5e2276d3-7f02-7984-ad4b-e11507580872", ACCOUNTID="5", ACCOUNTNAME="prd", APPLICATIONID="6", APPLICATIONNAME="ws", REQUEST="{"body":{"customer":{"accountNumber":"DBC00089571590","lineNumber":"8604338"},"equipment":{"serialNumber":"359938615394762","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"WVMSKaul","storeNumber":"WD227907","dealerNumber":"2279"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"65E5519B-F170-4367-AA03-54A33BA29B4E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}", RESPONSE="{"body":{"model":{"isRedeemed":true,"transactionReferenceNumber":"6200753992","redeemType":"Original","redemptionFailureReasonType":null,"redemptionEquipmentMake":"Samsung","redemptionEquipmentModel":"Galaxy S21 FE 128GB Graphite","redemptionEquipmentMemory":"128 GB","committedPrice":1,"additionalFees":0},"code":200,"messages":null,"isSuccess":true},"headers":{"connection":"close","content-type":"application/json;charset=utf-8","set-cookie":["AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/","AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/;SECURE;SAMESITE=None","visid_incap_968152=gpkNFRF6QtKeSmDdY/9FWWUkNGYAAAAAQUIPAAAAAABmisXXPd3Y2+ulqGUibHZU; expires=Fri, 02 May 2025 07:12:03 GMT; HttpOnly; path=/; Domain=.likewize.com","nlbi_968152=FnwQGi3rMWk+u+PCILjsZwAAAACniSzzxzSlwTCqfbP87/10; path=/; Domain=.likewize.com","incap_ses_677_968152=2ZElDA77lnjppwgU8y9lCWUkNGYAAAAArXuktDctGDMtVtCwqfe5bw==; path=/; Domain=.likewize.com"],"content-length":"349","server":"Jetty(9.4.45.v20220203)"}}", RETRYNO="0", ENDPOINT="https://apptium.freedommobile.ca/Activation.TradeUp", OPERATION="/FPC/Redemption/Redeem", METHOD="POST", CONNECTORID="0748a993-4566-48ae-9885-2a4dce9de585", CONNECTORNAME="Likewize", CONNECTORTYPE="Application", CONNECTORSUBTYPE="REST", STARTTIME="1714693218282", ENDTIME="1714693222213", RESPONSETIME="3931", SUCCESS="1", CLIENT="eportal-services", CREATEDDATE="2024-05-02 23:40:22", USERNAME="WVMSKaul@wmbd.local", SESSIONID="_027c735b-30ed-472c-99e8-6d0748e5a7d9", ACTIONID="5c0a6f88-5a1e-4fdc-a454-01c53fdc0b9b", TRACKID="674e1eed-ba9e-429f-87fc-3b4773b7dd06"
Now you see the importance of illustrating data accurately. My could only give you channel because the only data snippet I could see has channel. Now, you can see that accountNumber is a subnode in REQUEST.body.customer, serialNumber is a subnode in REQUEST.body.equipment, while redemptionEquipmentMemory and transactionReferenceNumber are those in RESPONSE.body.model. Your initial data snippet already established that Channel is a subnode in REQUEST.headers.
All this is to say that to write the correct SPL, you need to understand data. Before trying to render results, use SPL to help analyze data.
Now that you know where in the JSON structure each of those fields lies, you can just extract each node. But doing so usually is too laborious and not good for maintenance and enhancement. So, I will give a more flexible code
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST path=headers
| spath input=REQUEST path=body output=REQUEST
| spath input=RESPONSE path=body output=RESPONSE
| foreach headers REQUEST RESPONSE
[spath input=<<FIELD>>]
```| spath input=RESPONSE path=headers.set-cookie{}
| mvexpand headers.set-cookie{}```
| foreach customer equipment model
[rename <<FIELD>>.* AS *]
|table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber
This is an emulation of your sample data
| makeresults
| eval _raw = "2024-05-02 23:40:22.000, ID=\"5e2276d3-7f02-7984-ad4b-e11507580872\", ACCOUNTID=\"5\", ACCOUNTNAME=\"prd\", APPLICATIONID=\"6\", APPLICATIONNAME=\"ws\", REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC00089571590\",\"lineNumber\":\"8604338\"},\"equipment\":{\"serialNumber\":\"359938615394762\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"WVMSKaul\",\"storeNumber\":\"WD227907\",\"dealerNumber\":\"2279\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"65E5519B-F170-4367-AA03-54A33BA29B4E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\", RESPONSE=\"{\"body\":{\"model\":{\"isRedeemed\":true,\"transactionReferenceNumber\":\"6200753992\",\"redeemType\":\"Original\",\"redemptionFailureReasonType\":null,\"redemptionEquipmentMake\":\"Samsung\",\"redemptionEquipmentModel\":\"Galaxy S21 FE 128GB Graphite\",\"redemptionEquipmentMemory\":\"128 GB\",\"committedPrice\":1,\"additionalFees\":0},\"code\":200,\"messages\":null,\"isSuccess\":true},\"headers\":{\"connection\":\"close\",\"content-type\":\"application/json;charset=utf-8\",\"set-cookie\":[\"AWSELB=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/\",\"AWSELBCORS=B3A9CDE108B7A1C9F0AFA19D2F1D801BC5EA2DB758E049CA400C049FE7C310DF0BB906899FF431BCEF2EF75D94E40E95B107D7A5B122F6844BA88CEC0D864FC12E75279814;PATH=/;SECURE;SAMESITE=None\",\"visid_incap_968152=gpkNFRF6QtKeSmDdY/9FWWUkNGYAAAAAQUIPAAAAAABmisXXPd3Y2+ulqGUibHZU; expires=Fri, 02 May 2025 07:12:03 GMT; HttpOnly; path=/; Domain=.likewize.com\",\"nlbi_968152=FnwQGi3rMWk+u+PCILjsZwAAAACniSzzxzSlwTCqfbP87/10; path=/; Domain=.likewize.com\",\"incap_ses_677_968152=2ZElDA77lnjppwgU8y9lCWUkNGYAAAAArXuktDctGDMtVtCwqfe5bw==; path=/; Domain=.likewize.com\"],\"content-length\":\"349\",\"server\":\"Jetty(9.4.45.v20220203)\"}}\", RETRYNO=\"0\", ENDPOINT=\"https://apptium.freedommobile.ca/Activation.TradeUp\", OPERATION=\"/FPC/Redemption/Redeem\", METHOD=\"POST\", CONNECTORID=\"0748a993-4566-48ae-9885-2a4dce9de585\", CONNECTORNAME=\"Likewize\", CONNECTORTYPE=\"Application\", CONNECTORSUBTYPE=\"REST\", STARTTIME=\"1714693218282\", ENDTIME=\"1714693222213\", RESPONSETIME=\"3931\", SUCCESS=\"1\", CLIENT=\"eportal-services\", CREATEDDATE=\"2024-05-02 23:40:22\", USERNAME=\"WVMSKaul@wmbd.local\", SESSIONID=\"_027c735b-30ed-472c-99e8-6d0748e5a7d9\", ACTIONID=\"5c0a6f88-5a1e-4fdc-a454-01c53fdc0b9b\", TRACKID=\"674e1eed-ba9e-429f-87fc-3b4773b7dd06\""
``` the above emulates
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
```
The output from emulated data is
accountNumber | serialNumber | Channel | redemptionEquipmentMemory | transactionReferenceNumber |
DBC00089571590 | 359938615394762 | 6 | 128 GB | 6200753992 |
Finally, I want to illustrate the most inflexible implementation, custom extraction of the needed fields directly
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST path=headers.Channel output=Channel
| spath input=REQUEST path=body.customer.accountNumber output=accountNumber
| spath input=REQUEST path=body.equipment.serialNumber output=serialNumber
| spath input=RESPONSE path=body.model.redemptionEquipmentMemory output=redemptionEquipmentMemory
| spath input=RESPONSE path=body.model.transactionReferenceNumber output=transactionReferenceNumber
| table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber
Since 8.1, you can also implement these one-to-one extractions using json_extract.
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| eval Channel = json_extract(REQUEST, "headers.Channel")
| eval accountNumber = json_extract(REQUEST, "body.customer.accountNumber")
| eval serialNumber = json_extract(REQUEST, "body.equipment.serialNumber")
| eval redemptionEquipmentMemory = json_extract(RESPONSE, "body.model.redemptionEquipmentMemory")
| eval transactionReferenceNumber = json_extract(RESPONSE, "body.model.transactionReferenceNumber")
| table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber
Hi
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST
| rename headers.* AS *
|rename body.customer.* AS *
|rename body.equipment.serialNumber.* AS *
|rename body.model.redemptionEquipmentMemory.* AS *
|rename body.model.transactionReferenceNumber.* AS *
|table Channel accountNumber serialNumber redemptionEquipmentMemory transactionReferenceNumber
I have modified the query as u stated am getting only account number and channel code in my results not the other fields.
Do you mean you have a field named REQUEST with JSON data as illustrated, and want to have data like this:
field name | field value |
body.customer.accountNumber | DBC50012225699 |
body.customer.lineNumber | 5000654224 |
body.equipment.grade | A |
body.equipment.serialNumber | 351643935649535 |
body.redemptionDetails.dealerNumber | GW_STORE |
body.redemptionDetails.redemptionDate | 20240502 |
body.redemptionDetails.storeNumber | WCCA0105 |
body.redemptionDetails.user | BMashiana |
headers.Accept | application/json;charset=UTF-8 |
headers.ApplicationID | 00000411 |
headers.Authorization | Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg== |
headers.Channel | 6 |
headers.Locale | en-US |
headers.TransactionID | E86B7D59-B3CC-401D-977F-65218248367E |
headers.content-type | application/json;charset=UTF-8 |
where header.Channel has value 6?
REQUEST does not contain any array, why the complicated path? All you need is
| spath input=REQUEST
| rename headers.* AS *
Here is an emulation based on your sample data.
| makeresults
| eval REQUEST="{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}"
``` the above emulates
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
```
| spath input=REQUEST
| rename headers.* AS *
| table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber
The output is
accountNumber | serialNumber | Channel | redemptionEquipmentMemory | transactionReferenceNumber |
6 |
Obviously I do not have RESPONSE data. But play with it and compare with real REQUEST data.
Hi
Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.
Hi @splunk6,
The mvexpand should work but if not as you mentioned, maybe the rex command could fix that to you.
To get all the matches of Channel:
| makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex max_match=0 field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""
To get only one result for the channel (the first one) by search:
| makeresults
| eval request="REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"6\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\",REQUEST=\"{\"body\":{\"customer\":{\"accountNumber\":\"DBC50012225699\",\"lineNumber\":\"5000654224\"},\"equipment\":{\"serialNumber\":\"351643935649535\",\"grade\":\"A\"},\"redemptionDetails\":{\"redemptionDate\":\"20240502\",\"user\":\"BMashiana\",\"storeNumber\":\"WCCA0105\",\"dealerNumber\":\"GW_STORE\"}},\"headers\":{\"content-type\":\"application/json;charset=UTF-8\",\"Accept\":\"application/json;charset=UTF-8\",\"Channel\":\"7\",\"Locale\":\"en-US\",\"TransactionID\":\"E86B7D59-B3CC-401D-977F-65218248367E\",\"ApplicationID\":\"00000411\",\"Authorization\":\"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg==\"}}\","
| rex field=request "\,\"Channel\"\:\"(?<Channel>.+?)\""
Note: It's import to mention that I created the request field to add your REQUEST field value into the | makeresults, ok? In your code, you should use only the rex field=REQUEST with or without max_match=0.
I hope it helps you.
Happy splunking!
Hi
Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.
My existing query is:
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\""
|spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber
|spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber
|spath input=REQUEST output=Channel path=headers{}.Channel
|spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory
|spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber
|table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
thanks i tried with using extracting the request and response using rex _raw and filtering the fields using spath
Is this now solved using answers to this question and your very similar question https://community.splunk.com/t5/Splunk-Search/how-to-retrieve-the-value-from-json-input-using-splunk...?
Hi
Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.
My existing query is:
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\""
|spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber
|spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber
|spath input=REQUEST output=Channel path=headers{}.Channel
|spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory
|spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber
|table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo
No! Don't try to handle structured data with simple regexes. Unless you're very very very sure that the format is constant and it always will be (which is typically not something you can rely on since even the developers writing the solutions that produce such events don't know the exact order of fields that will be sent by their program) handling json or XML with regex is asking for trouble.
is there any other way of handling json content for using rex command which would be much easier. although my request is not completely in a json format.
is there any other way of handling json content for using rex command which would be much easier. although my request is not completely in a json format.
You must understand why @PickleRick and I keep telling you not to try using rex to handle structured data like JSON: rex is the wrong tool because syntax is not bound by format in JSON. The same semantics can be expressed by a million variants of format while conforming to the same syntax. {"ka":"va","kb":"vb"} is exactly the same as {"kb":"vb","ka":"va"}. Any rex you develop will always be instable. By insisting on using regex, i.e., treating structured data as pure text, you are just reinforcing some bad habit that will inhibit your abilities in the future.
Hi
Just to add on this existing query, I need to get the memory details from REQUEST alone. My raw data is like the below and this memory is also not available in all the events. So i need to fetch a report with the events that are only having "memory" in the REQUEST.(Not all events have this "memory" in the REQUEST). Please help asap.
1. Please, don't post the same content in several messages. It's enough to post it once. (also - text in a preformatted paragraph or code box is worth several screenshots).
2. For "please help asap" you go to your local Splunk consultants and pay for their services. This is a community-driven forum where people voluntarily help others. Remarks like this can have the opposite effect on their motivation to answer you.
sure . Will take this. Thanks for your feedback
My existing query is :
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
|rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\""
|spath input=REQUEST output=AccountNumber path=body.customer{}.accountNumber
|spath input=REQUEST output=IMEI path=body.equipment{}.serialNumber
|spath input=REQUEST output=Channel path=headers{}.Channel
|spath input=RESPONSE output=Memory path=body.model{}.redemptionEquipmentMemory
|spath input=RESPONSE output=TransactionRefNo path=body.model{}.transactionReferenceNumber
|table AccountNumber IMEI Channel Memory TransactionRefNo |sort TransactionRefNo