cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
nzamorano123
Engager
Member since: ‎03-25-2021
‎03-26-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎03-25-2021
Activity Feed
View All

Re: How to fill null values in JSon field

by in Splunk Search
‎03-26-2021 07:23 AM
‎03-26-2021 07:23 AM
   This worked perfectly. Thank you very much for your help. I understand that I was skipping the step of specifying to spath the data that I wanted to expand. Again, thank you very much! ... View more

How to fill null values in JSon field

by in Splunk Search
‎03-25-2021 02:19 PM
‎03-25-2021 02:19 PM
How to fill null values in JSon field hello community, good afternoon I am trapped in a challenge which I cannot achieve how to obtain the expected result. Currently I have a log that contains a field in JSon format: { "data": { "steps": [ { "code": "11501", "index": "0", "counter": "1", "stepType": "Req & Resp", "optional": "False", "parallel": "False", "parents": "-1", "children": "1", "begin": "2021-03-24T10:00:02.597-03:00", "serviceOut": "2021-03-24T10:00:02.598-03:00", "serviceIn": "2021-03-24T10:00:02.857-03:00", "end": "2021-03-24T10:00:02.859-03:00", "timedout": "False", "lateResp": "False", "status": "C", "return": "" }, { "code": "11502", "index": "1", "counter": "2", "stepType": "Req & Resp", "optional": "False", "parallel": "False", "parents": "0", "children": "2", "begin": "2021-03-24T10:00:02.860-03:00", "serviceOut": "2021-03-24T10:00:02.886-03:00", "serviceIn": "2021-03-24T10:00:03.238-03:00", "end": "2021-03-24T10:00:03.243-03:00", "timedout": "False", "lateResp": "False", "status": "C", "return": "03546" }, { "code": "11505", "index": "4", "counter": "3", "stepType": "Req & Resp", "optional": "False", "parallel": "False", "parents": "3", "children": "5", "begin": "2021-03-24T10:00:03.246-03:00", "serviceOut": "2021-03-24T10:00:03.250-03:00", "serviceIn": "2021-03-24T10:00:03.293-03:00", "end": "2021-03-24T10:00:03.294-03:00", "timedout": "False", "lateResp": "False", "status": "C", "return": "03546" } ] } } Query Splunk: index="pagos_moviles" source="/veritran/vt-net/log/MP_TRANSAC_LOG_BECP_ND*.log" trxl_resp!="000" | spath input=trxl_tech_detail | fields _time trxl_tech_detail data.steps* | fillnull value="-" data.steps* |rename data.steps{}.begin AS begin, data.steps{}.children AS step, data.steps{}.code AS code, data.steps{}.counter AS counter, data.steps{}.end AS end, data.steps{}.index AS index, data.steps{}.lateResp AS lateResp, data.steps{}.optional AS optional, data.steps{}.parallel AS parallel, data.steps{}.parents AS parents, data.steps{}.return AS return, data.steps{}.serviceIn AS serviceIn, data.steps{}.serviceOut AS serviceOut, data.steps{}.status AS status, data.steps{}.stepType AS stepType, data.steps{}.timedout AS timedout| eval campos=mvzip(begin,mvzip(step,mvzip(code,mvzip(end,mvzip(index,mvzip(status,mvzip(return,timedout))))))) | mvexpand campos | eval campos=split(campos,",")|eval begin =mvindex(campos,0) |eval step=mvindex(campos,1) |eval code =mvindex(campos,2) |eval end =mvindex(campos,3) |eval index =mvindex(campos,4) |eval status=mvindex(campos,5) |eval return=mvindex(campos,6) |eval timedout =mvindex(campos,7)| table _time trxl_tech_detail campos Servicio Operacion begin step code counter end index return status timedout trxl_resp Detalle Tipo_Error trxl_transaction_code | fillnull value="-" return Result:    As you can see in the photo, it only expands 2 rows and they should be 3. I also noticed that the return value does not always exist and I think this is what finally causes it not to expand all the json. Is there a way to fill the null values in the json with some character? In advance, thank you very much and excuse me for my English but it is not my native language.   ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-26-2021 10:07 PM