I'm new to splunk and really struggle very hard with it's documentation. Everytime I try to do something, it does not work as documented. I'm pretty fluent with free tool named jq, but it requires t...
See more...
I'm new to splunk and really struggle very hard with it's documentation. Everytime I try to do something, it does not work as documented. I'm pretty fluent with free tool named jq, but it requires to downloading the data from splunk to process it, which is very inconvenient to do over globe. I have some query producing jsons. I'd like to do this trivial thing. Extract data from field json.msg (trivial projection), parse them as json, then proceed further. In jq this is as hard as: '.json.msg | fromjson ' Done. Can someone advice how to do this in splunk? I tried: … | spath input=json.msg output=msg_raw path=json.msg and multiple variants of that, but it either does not compile (say if path is missing) or do nothing. … spath input=json.msg output=msg_raw path=json.msg | table msg_raw prints empty lines. I need to do much more complex things with it(reductions/aggregations/deduplications) all trivial in jq, but even this is not doable in splunk query. How to do? Or where is valid documention showing things which works?