Splunk Search
Highlighted

spath vs rename

New Member

This is the data:

message: { [-]
operation: create_session
....

I am trying to list the name of the operation. I tried spath and rename: spath is not working, does not return the value 'createsession', but rename does. Why?

spath input=message path=operation output=oper
name
rename message.operation AS oper

Tags (2)
0 Karma
Highlighted

Re: spath vs rename

SplunkTrust
SplunkTrust

@GailLeshinsky,
Do you have some sample event to share?
Have you tried - spath input=message path=message.operation output=oper_name ?

0 Karma
Highlighted

Re: spath vs rename

New Member

I did try but unsuccessfully. What i shared is pretty much it and I am trying to do the simplest :).

Below is another example. I am not expanding the request and response data because it's not needed.

{ [-]
buildversion: 1.0.20190207114538
level: INFO

message: { [-]
build
version: 1.0.20190207114538
correlationid: b96a6133-baae-4d2e-8ff5-1e758c485ecd

operation: create
session
orderid: 53ac061f-6b09-712e-9df0-006ec64a9a4b

request: { [+]
}

response: { [+]
}

session
id: 1bad8fa7-409d-74ef-9a75-4108393f9528

}

orderid: 53ac061f-6b09-712e-9df0-006ec64a9a4b

session
id: 1bad8fa7-409d-74ef-9a75-4108393f9528

thread: dw-1551 - POST /payments/merchant/N100829/v1/sessions

timestamp: 2019-02-13T03:30:35.426Z

uid: b96a6133-baae-4d2e-8ff5-1e758c485ecd

}

0 Karma
Highlighted

Re: spath vs rename

Ultra Champion
| makeresults 
| eval _raw="{ 
\"build_version\": \"1.0.20190207114538\",
\"level\": \"INFO\",
\"message\": { 
\"build_version\": \"1.0.20190207114538\",
\"correlation_id\": \"b96a6133-baae-4d2e-8ff5-1e758c485ecd\",
\"operation\": \"create_session\",
\"order_id\": \"53ac061f-6b09-712e-9df0-006ec64a9a4b\",
\"request\": {
},
\"response\": {
},
\"session_id\": \"1bad8fa7-409d-74ef-9a75-4108393f9528\"
},
\"order_id\": \"53ac061f-6b09-712e-9df0-006ec64a9a4b\",
\"session_id\": \"1bad8fa7-409d-74ef-9a75-4108393f9528\",
\"thread\": \"dw-1551 - POST /payments/merchant/N100829/v1/sessions\",
\"timestamp\": \"2019-02-13T03:30:35.426Z\",
\"uid\": \"b96a6133-baae-4d2e-8ff5-1e758c485ecd\"
}"
| spath
| rename message.* as *
| fields - _*

In conclusion, the argument of spath is wrong.
| spath path=message.operation output=oper

0 Karma