REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","...
See more...
REQUEST="{"body":{"customer":{"accountNumber":"DBC50012225699","lineNumber":"5000654224"},"equipment":{"serialNumber":"351643935649535","grade":"A"},"redemptionDetails":{"redemptionDate":"20240502","user":"BMashiana","storeNumber":"WCCA0105","dealerNumber":"GW_STORE"}},"headers":{"content-type":"application/json;charset=UTF-8","Accept":"application/json;charset=UTF-8","Channel":"6","Locale":"en-US","TransactionID":"E86B7D59-B3CC-401D-977F-65218248367E","ApplicationID":"00000411","Authorization":"Basic ZnJlZWRvbWNyZWF0ZTpDd0t4dGlmbGZ3ZnFaQVYydWhtUg=="}}",
Below is my splunk query:
index="wireless_retail" source="CREATE_FREEDOM.transactionlog" OPERATION="/FPC/Redemption/Redeem"
| rex "REQUEST=\"(?<REQUEST>.+)\", RESPONSE=\"(?<RESPONSE>.+)\", RETRYNO"
| spath input=REQUEST
|spath input=REQUEST output=accountNumber path=body.customer{}.accountNumber
|mvexpand accountNumber
|spath input=REQUEST output=serialNumber path=body.equipment{}.serialNumber
|mvexpand serialNumber
|spath input=REQUEST output=Channel path=body{}{}.headers{}{}.Channel
|mvexpand Channel
|spath input=RESPONSE
|spath input=RESPONSE output=redemptionEquipmentMemory path=body.model{}.redemptionEquipmentMemory
|mvexpand redemptionEquipmentMemory
|spath input=RESPONSE output=transactionReferenceNumber path=body.model{}.transactionReferenceNumber
|mvexpand transactionReferenceNumber
|table accountNumber serialNumber Channel redemptionEquipmentMemory transactionReferenceNumber
Can someone suggest me how to retrive the channel from this request. Its empty forme. also its inside the body->headers->channel. how to retrive the second element from the request input.
please someone reply as it is very urgent to complete my work