Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- About loeweps
loeweps
Explorer
Member since:
01-21-2015
06-05-2020
Community Statistics
| Posts | 9 |
| Solutions | 0 |
| Karma Given | 2 |
| Karma Received | 0 |
| Member Since | 01-21-2015 |
Activity Feed
- Karma Re: Split a nested json array with key/value pairs at index time for harsmarvania57. 06-05-2020 12:50 AM
- Karma Splitting header and each entry from a nested JSON array into separate events at index time for madstop99. 06-05-2020 12:48 AM
- Posted Re: Split a nested json array with key/value pairs at index time on Getting Data In. 04-09-2019 03:04 AM
- Posted Re: Split a nested json array with key/value pairs at index time on Getting Data In. 04-07-2019 03:41 AM
- Posted Split a nested json array with key/value pairs at index time on Getting Data In. 04-06-2019 03:59 AM
- Tagged Split a nested json array with key/value pairs at index time on Getting Data In. 04-06-2019 03:59 AM
- Tagged Split a nested json array with key/value pairs at index time on Getting Data In. 04-06-2019 03:59 AM
- Tagged Split a nested json array with key/value pairs at index time on Getting Data In. 04-06-2019 03:59 AM
- Tagged Split a nested json array with key/value pairs at index time on Getting Data In. 04-06-2019 03:59 AM
- Posted Re: Find events that occur after the time returned from a subsearch for a specific field on Splunk Search. 05-21-2015 12:02 PM
- Posted Find events that occur after the time returned from a subsearch for a specific field on Splunk Search. 05-20-2015 11:04 AM
- Tagged Find events that occur after the time returned from a subsearch for a specific field on Splunk Search. 05-20-2015 11:04 AM
- Tagged Find events that occur after the time returned from a subsearch for a specific field on Splunk Search. 05-20-2015 11:04 AM
- Tagged Find events that occur after the time returned from a subsearch for a specific field on Splunk Search. 05-20-2015 11:04 AM
- Tagged Find events that occur after the time returned from a subsearch for a specific field on Splunk Search. 05-20-2015 11:04 AM
- Posted Re: How to count how many times the same result set from stats(values) or stats(list) is repeated. on Splunk Search. 01-23-2015 07:53 AM
- Posted How to count how many times the same result set from stats(values) or stats(list) is repeated. on Splunk Search. 01-22-2015 09:10 PM
- Tagged How to count how many times the same result set from stats(values) or stats(list) is repeated. on Splunk Search. 01-22-2015 09:10 PM
- Tagged How to count how many times the same result set from stats(values) or stats(list) is repeated. on Splunk Search. 01-22-2015 09:10 PM
- Tagged How to count how many times the same result set from stats(values) or stats(list) is repeated. on Splunk Search. 01-22-2015 09:10 PM
Topics I've Started
| Subject | Karma | Author | Latest Post |
|---|---|---|---|
| 0 | |||
| 0 | |||
| 0 | |||
| 0 |
04-09-2019
03:04 AM
Thanks again harsmarvania57. Removing indexed_extractions and replacing it with kv_mode=json worked to split the events when I added them via json file. If I use the HEC to stream events to the Splunk instance it would still ignore the line-breaker but not the rest of the commands. I ended up resolving the issue by splitting the events at the source(kafka). I found an option within Kafka connect to send the events to the raw HEC endpoint instead of the HEC event endpoint but I didn't get to test that option as the issue was already solved.
... View more
04-07-2019
03:41 AM
Thanks for the reply harsmarvania57. That answers part of the question but the overall splitting of events should be possible. Here are a couple links where people were successful. I have tried to replicate what they did but I haven't had much luck as the line-breaker appears as if it is getting ignored.
https://answers.splunk.com/answers/704459/how-to-split-json-array-into-multiple-events-using.html
https://answers.splunk.com/answers/289520/how-to-split-a-json-array-into-multiple-events-wit.html
This is my props.conf trying to use Line_breaker to split the events. Once I get that working I would then use part of what you provided to clean up the Keys/Content fields. I have tested this in regex and the matches appear to work.
[gpb_kv_test7]
DATETIME_CONFIG =
INDEXED_EXTRACTIONS = json
LINE_BREAKER = ((?!"),(?!")|[\r\n]+)
NO_BINARY_CHECK = true
SEDCMD-remove_prefix = s/({\"Source\"\S+?\"Rows\":[)//g
SEDCMD-remove_suffix = s/]}//g
SHOULD_LINEMERGE = false
TIMESTAMP_FIELDS = Rows{}.Timestamp
category = Structured
description = JavaScript Object Notation format. For more information, visit http://json.org/
disabled = false
pulldown_type = true
Leaves me with a single event like this:
{"Timestamp":1554629642020,"Keys":{"name":"Processor"},"Content":{"free-memory":1123798432}},{"Timestamp":1554629642020,"Keys":{"name":"lsmpi_io"},"Content":{"free-memory":824}}
... View more
04-06-2019
03:59 AM
I am searching for a way to split an json array at index time with key value pairs.
Raw Data:
{"Source":"192.16.0.1:57913","Telemetry":{"node_id_str":"border_1","subscription_id_str":"101","encoding_path":"Cisco-IOS-XE-memory-oper:memory-statistics/memory-statistic","collection_id":0,"collection_start_time":0,"msg_timestamp":1554539606730,"collection_end_time":0},"Rows":[{"Timestamp":1554539606730,"Keys":{"name":"Processor"},"Content":{"used-memory":325518464}},{"Timestamp":1554539606730,"Keys":{"name":"lsmpi_io"},"Content":{"used-memory":6294304}}]}
I would like to separate this into two events. Keeping or even discarding the header. Though keeping the node_id_str is useful.
Event1:
{
"Source":"192.16.0.1:57913",
"node_id_str":"border_1",
"encoding_path":"Cisco-IOS-XE-memory-oper:memory-statistics/memory-statistic",
"Timestamp":1554539606730,
"name":"lsmpi_io"
"used-memory":6294304
}
Event2:
{
"Source":"192.16.0.1:57913",
"node_id_str":"border_1",
"encoding_path":"Cisco-IOS-XE-memory-oper:memory-statistics/memory-statistic",
"Timestamp":1554539606730,
"name":"Processor"
"used-memory":325518464
}
Or alternatively if there isn't an easy way. Just keep the data in Rows{}
Event1:
{
"Timestamp":1554539606730,
"name":"lsmpi_io"
"used-memory":6294304
}
I am using indexed_extractions = json. I have tried working with line breaker, must_break_after, and sedcmd removing the header but I haven't had much luck.
... View more
05-21-2015
12:02 PM
Thank you, This gets me much closer to what I want to do. The only issue I have now is I have to convert the completed_date to epoch to use it as my comparison value. Dataset2 _time is based off create_date but Dataset1 _time value is not based off of completed_date.
Thanks again,
Paul
... View more
05-20-2015
11:04 AM
I have two sets of data. Both have account number and date along with a list of other fields. I want to search for account numbers in dataset 1 and take those account number and find all records that occur after the event for each account number.
I assume a subsearch is the best way to do that.
If I have
Dataset1:
Account_Num Complete_Date
1 1/5/2015
2 2/3/2015
3 2/6/2015
1 2/9/2015
Dataset2:
Account Create_Date
1 1/1/2015
2 2/6/2015
3 2/8/2015
1 2/14/2015
I want to search for and return the account number and completed date and then search the second data set for accounts with a created date of within 14 days of the date from the first search.
I was assuming that I should do a subsearch that would return the Account_Num and Complete_Date but I am not sure of the best way to have it only search on the Account_Num and then search within a 14 day window of the Complete_Date against the Create_Date . I looked up foreach but wasn't sure if that solves my issue.
I want it to return only the three records listed below from Dataset2 because they have a matching account number and have a create date of within 14 days of the data from Dataset1
Account Create_Date
2 2/6/2015
3 2/8/2015
1 2/14/2015
Thanks in advance for any help with this as it is appreciated.
... View more
01-23-2015
07:53 AM
Thank you for taking the time to help. Sorry for the confusion. I am hoping there may be an easier way to do this as it's been painful so far. Searched around for hours looking instances were the stats (values) or stasts(list) result is grouped and counted but haven't had any luck.
I attempted to use this solution. I am still counting by Account number.
I want to count how many times the same result set(group of Problem/Finding) appears.
So if there are five different instances of Repaired, Replaced, Box, Box. I want to count these without using account number.
I want to have it look like this:
SOL,FND, Count
Replaced, Wire, 1
Replaced, Wire
Repaired, BOX, 5
Replaced, BOX
I want to count each time the same set of results appears. If there are 20 instances where that combination of results appears I want to count that. Every time I try to use stats or eval on the SOL, FIND group it breaks them up and counts the individually again.
I am not familiar with html so trying to add the pre/code tag here. I also fixed the original question so that I was using Solution throughout the example.
... View more
01-22-2015
09:10 PM
I have the following data. Each one has a different date entry.
DATE,ACCOUNT_NUMBER, SOLUTION, FINDING
1-1-2015,1, Replaced, WIRE
1-1-2015,2, Repaired, BOX
1-1-2015,3, Repaired, BOX
1-2-2015,1, Repaired, WIRE
1-2-2015,2, Replaced, BOX
1-3-2015,3, Replaced, BOX
I am using a subsearch to remove results where only a single result exists but it is not required.
index=data [ search index=data | stats count by ACCOUNT_NUMBER | where count>1 | fields ACCOUNT_NUMBER ]
| stats values(SOLUTION) as SOL, values(FINDING) by FND by ACCOUNT_NUMBER
I get the following result:
Account_Number, SOL, FND
1, Replaced, WIRE
Repaired, WIRE
2, Repaired, BOX
Replaced, BOX
3, Repaired, BOX
Replaced, BOX
I want to count how many times the same set of results appears.
SOL, FND, Count
Replaced, Wire, 1
Replaced, Wire
Repaired, BOX, 2
Replaced, BOX
I have tried various methods of counting the result sets but haven't been able to get it to work.
Appreciate any help that can be provided. Thank you for taking the time to respond.
... View more
01-21-2015
12:02 PM
That worked. Subsearch was only there to filter out the accounts with less than one entry.
Thank you again for taking the time to respond. I didn't think to try solution as I was focused on the account number field.
... View more
01-21-2015
11:37 AM
I have the following data. Each one has a different date entry.
DATE ACCOUNT_NUMBER SOLUTION NAME ADDRESS
1-1-2015 1 Replaced NAME1 ADDRESS1
1-1-2015 2 Repaired NAME2 ADDRESS2
1-1-2015 3 Repaired NAME3 ADDRESS3
1-2-2015 1 Repaired NAME1 ADDRESS1
1-2-2015 2 Replaced NAME2 ADDRESS2
I have a search with a subsearch:
index=data [ search index=data | stats count by ACCOUNT_NUMBER | where count>1 | fields ACCOUNT_NUMBER ] | stats latest(ACCOUNT_NUMBER) count by SOLUTION
Problem is when I add count by ACCOUNT_NUMBER,SOLUTION , I still have account numbers showing up with a result of more than 1.
I have tried first(_time), first(ACCOUNT_NUMBER) along with other searches. What I want is to see the first solution used for each account. The above result would be :
ACCOUNT_NUMBER SOLUTION
1 Replaced
2 Repaired
3 Repaired
And a count of the above which is my ultimate goal would be:
SOLUTION count
Replaced 1
Repaired 2
Appreciate any help that can be provided. Thank you for taking the time to respond.
... View more
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
06-05-2020
02:04 AM
|
