I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data ...
See more...
I'm calling a REST API using curl on a UF to collect data from a remote DataPower appliance; the output is in JSON format and is written to a flat file that Splunk ingests and indexes. The JSON data looks like this (this snippet represents one event ingested by Splunk with three classes/objects cited in the "ObjectStatus" array; in reality, there can be dozens and dozens of classes/objects within the array): { "_links" : { "self" : {"href" : "/mgmt/status/default/ObjectStatus"}, "doc" : {"href" : "/mgmt/docs/status/ObjectStatus"}}, "ObjectStatus" : [{ "Class" : "DNSNameService", "OpState" : "up", "AdminState" : "enabled", "Name" : "dns", "EventCode" : "0x00000000", "ErrorCode" : "", "ConfigState" : "saved"}, { "Class" : "CRLFetch", "OpState" : "down", "AdminState" : "enabled", "Name" : "crl", "EventCode" : "0x00360010", "ErrorCode" : "No CRLs configured", "ConfigState" : "saved"}, { "Class" : "Statistics", "OpState" : "up", "AdminState" : "enabled", "Name" : "statistics", "EventCode" : "0x00000000", "ErrorCode" : "", "ConfigState" : "saved"}]} I'm using a custom sourcetype to process the events in Splunk; props.conf looks like this (installed on both the UF and my indexers): [dp_json] INDEXED_EXTRACTIONS = json KV_MODE = none Splunk appears to be processing the events correctly, as the following fields are present (and match up with the expected values): ObjectStatus{}.AdminState ObjectStatus{}.Class ObjectStatus{}.ConfigState ObjectStatus{}.ErrorCode ObjectStatus{}.EventCode ObjectStatus{}.Name ObjectStatus{}.OpState Here's my dilemma. I would like to identify objects in a particular state. For example: I would like to know which objects in the array have ObjectStatus{}.OpState equal to "down", with the ObjectStatus{}.Class and ObjectStatus{}.OpState returned for each object that matches. I've tried a search query such as this... sourcetype=dp_json index=main "ObjectStatus{}.OpState"="down" | table "ObjectStatus{}.Class", "ObjectStatus{}.OpState" ...but this returns every Class from each event, regardless of OpState being "up" or "down". What adjustments are required in order to get the output I'm looking for?