- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: spath vs rename
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
spath vs rename
This is the data:
message: { [-]
operation: create_session
....
I am trying to list the name of the operation. I tried spath and rename: spath is not working, does not return the value 'create_session', but rename does. Why?
spath input=message path=operation output=oper_name
rename message.operation AS oper
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| makeresults
| eval _raw="{
\"build_version\": \"1.0.20190207114538\",
\"level\": \"INFO\",
\"message\": {
\"build_version\": \"1.0.20190207114538\",
\"correlation_id\": \"b96a6133-baae-4d2e-8ff5-1e758c485ecd\",
\"operation\": \"create_session\",
\"order_id\": \"53ac061f-6b09-712e-9df0-006ec64a9a4b\",
\"request\": {
},
\"response\": {
},
\"session_id\": \"1bad8fa7-409d-74ef-9a75-4108393f9528\"
},
\"order_id\": \"53ac061f-6b09-712e-9df0-006ec64a9a4b\",
\"session_id\": \"1bad8fa7-409d-74ef-9a75-4108393f9528\",
\"thread\": \"dw-1551 - POST /payments/merchant/N100829/v1/sessions\",
\"timestamp\": \"2019-02-13T03:30:35.426Z\",
\"uid\": \"b96a6133-baae-4d2e-8ff5-1e758c485ecd\"
}"
| spath
| rename message.* as *
| fields - _*
In conclusion, the argument of spath is wrong.
| spath path=message.operation output=oper
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did try but unsuccessfully. What i shared is pretty much it and I am trying to do the simplest :).
Below is another example. I am not expanding the request and response data because it's not needed.
{ [-]
build_version: 1.0.20190207114538
level: INFO
message: { [-]
build_version: 1.0.20190207114538
correlation_id: b96a6133-baae-4d2e-8ff5-1e758c485ecd
operation: create_session
order_id: 53ac061f-6b09-712e-9df0-006ec64a9a4b
request: { [+]
}
response: { [+]
}
session_id: 1bad8fa7-409d-74ef-9a75-4108393f9528
}
order_id: 53ac061f-6b09-712e-9df0-006ec64a9a4b
session_id: 1bad8fa7-409d-74ef-9a75-4108393f9528
thread: dw-1551 - POST /payments/merchant/N100829/v1/sessions
timestamp: 2019-02-13T03:30:35.426Z
uid: b96a6133-baae-4d2e-8ff5-1e758c485ecd
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@GailLeshinsky,
Do you have some sample event to share?
Have you tried - spath input=message path=message.operation output=oper_name ?
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
