×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
sharathk0525
Observer
Member since: ‎06-24-2020
‎06-28-2020
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-24-2020
View All

Re: get the last element of repeating json payload

by in Splunk Search
‎06-28-2020 03:47 PM
‎06-28-2020 03:47 PM
Hello Kamlesh, thanks for your reply I am interested in getting the last payload. dedup would eliminate duplicates, but it does not ensure that it gets me the last payload. Is there any way, that would get me the last payload from  repeating payloads pattern? ... View more

Re: get the last element of repeating json payload

by in Splunk Search
‎06-25-2020 06:33 AM
‎06-25-2020 06:33 AM
  this is how my logs appear you will not see this text(====start====) (====end===) in the logs, just for understanding purpose I added this line, to differentiate repeating logs The logs are exactly identical and repeating in pattern ================start============= Final obj-1---------- { "action":"Waiting Approval", "changeConfigItem":[ {"ciItem" : "1"} ], "changeApprover":[ {"name" : "test" } ], "changeAttachment":[ { "fileName" : "abc.txt"}, {"fileName" : "abc.txt"} ] "newAction":"request-change" } ================end============= ==========start================== Final obj-1---------- { "action":"Waiting Approval", "changeConfigItem":[ {"ciItem" : "1"} ], "changeApprover":[ {"name" : "test" } ], "changeAttachment":[ { "fileName" : "abc.txt"}, {"fileName" : "abc.txt"} ] "newAction":"request-change" } ==========end================== ==========start================== Final obj-1---------- { "action":"Waiting Approval", "changeConfigItem":[ {"ciItem" : "1"} ], "changeApprover":[ {"name" : "test" } ], "changeAttachment":[ { "fileName" : "abc.txt"}, {"fileName" : "abc.txt"} ] "newAction":"request-change" } ==========end================== searchQuery  here is my search query search query index=abc_applications cf_space_name=production cf_app_name="my-app-name" "\"newAction\":\"request-change"\" AND "Final obj-1----------" | rex field=_raw "Final obj-1----------(?P<json_data_1>\{.*\})" | eval json_data = mvindex(json_data_1, -1) | spath input=json_data | rename data.cRID as CRID | eval Attachment_Count = spath(json_data, "changeAttachment{}") | eval Approver_Count = spath(json_data, "changeApprover{}") | eval Config_Count = spath(json_data, "changeConfigItem{}")| stats count(Attachment_Count) as Attachment_Count, count(Approver_Count) as Approver_Count, count(Config_Count) as Config_Item_Count by CRID current output I am getting output as, its giving cumulative results CRID   Attachment_Count Approver_Count Config_Item_Count 1111 6 3 3   expected/desired output CRID   Attachment_Count Approver_Count Config_Item_Count 1111 2 1 1   hope this helps your understanding ... View more

get the last element of repeating json payload

by in Splunk Search
‎06-24-2020 09:43 PM
‎06-24-2020 09:43 PM
I have a repeating j son payload appearing in my logs. I am interested in capturing the last payload from the logs. right now I am seeing 3 events with below search query, but I wanted the last event here is my search query search query   index=abc_applications cf_space_name=production cf_app_name="my-app-name" "\"newAction\":\"request-change"\" AND "Final obj-1----------" | rex field=_raw "Final obj-1----------(?P<json_data_1>\{.*\})" | eval json_data = mvindex(json_data_1, -1) | spath input=json_data | rename data.cRID as CRID | eval Attachment_Count = spath(json_data, "changeAttachment{}") | eval Approver_Count = spath(json_data, "changeApprover{}") | eval Config_Count = spath(json_data, "changeConfigItem{}")| stats count(Attachment_Count) as Attachment_Count, count(Approver_Count) as Approver_Count, count(Config_Count) as Config_Item_Count by CRID   this is how my logs appear you will not see this text(====start====) (====end===) in the logs, just for understanding purpose I added this line, to differentiate repeating logs The logs are exactly identical and repeating in pattern payload is here   this is how my logs appear you will not see this text(====start====) (====end===) in the logs, just for understanding purpose I added this line, to differentiate repeating logs The logs are exactly identical and repeating in pattern ================start============= Final obj-1---------- { "action":"Waiting Approval", "changeConfigItem":[ {} ], "changeApprover":[ {} ], "changeAttachment":[ {}, {} ] "newAction":"request-change" } ================end============= ==========start================== Final obj-1---------- { "action":"Waiting Approval", "changeConfigItem":[ {} ], "changeApprover":[ {} ], "changeAttachment":[ {}, {} ], "data":{ "cRID":"1111"} "newAction":"request-change" } ==========end================== ==========start================== Final obj-1---------- { "action":"Waiting Approval", "changeConfigItem":[ {} ], "changeApprover":[ {} ], "changeAttachment":[ {}, {} ] "newAction":"request-change" }, "data":{ "cRID":"1111"} ==========end==================   ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-28-2020 07:12 PM