×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
rkothari
Loves-to-Learn Everything
Member since: ‎05-25-2021
Community Statistics
Posts 3
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎05-25-2021
View All

Re: Extract fields from nested json structure with...

by in Splunk Search
‎05-27-2021 05:34 PM
‎05-27-2021 05:34 PM
Hello @kamlesh_vaghela  Your proposal using rex doesn't work with my data. It somehow works correctly with the way you are loading your sample data, but when I apply the rex and table command to my data like you have shared, it shows the Name and Version columns empty for all rows. I think your previous solution using foreach really got us very close except that weird behavior where some rows would show Name and Version columns empty randomly.  Do you have any idea how that part can be resolved in your first proposal? I think the weird behavior with foreach sounds very similar to this another post. Is there any bug with foreach functionality that would result in such behavior? Thanks very much again! ... View more

Re: Extract fields from nested json structure with...

by in Splunk Search
‎05-26-2021 05:45 PM
‎05-26-2021 05:45 PM
Thank you @kamlesh_vaghela for sharing this. Your solution gets me the required data in table as expected, however it doesn't consistently show me values for "Name" and "Version" columns in all rows.  I have about 2000 log events like the structure in my question, but every time I re-run your solution query I get blank values for "Name" and "Version" columns for varying number of rows. For example, I see all rows populated with value in "deviceId" but I only see actual values for "Name" and "Version" columns in 24 rows. Remaining rows show blank value for "Name" and "Version". Next time I refresh the search query, the number 24 changes to another number. Could the foreach part of your solution be somehow contributing to this inconsistent behavior? UPDATE: I wanted to add that for the records that show a blank value in columns "Name" and "Version", I have verified that their raw log events have a valid string value at paths details.Device:Information.Content.*.Name and details.Device:Information.Content.*.Version. ANOTHER UPDATE: I can reproduce this problematic behavior with your proposed solution by feeding more than 1 log event. Could you please try feeding 2-4 log events to your proposed solution that may help you understand the problem? I think solving this might make your proposal a complete answer. Thanks again for all your help. ... View more

Extract fields from nested json structure with dyn...

by in Splunk Search
‎05-25-2021 05:43 PM
‎05-25-2021 05:43 PM
Hello, I have nested json type log messages like below being forwarded to splunk -   { "timeStamp": "2021-03-11T07:45:49.780000+00:00", "status": "deactive", "deviceId": "uuid12345", "details": { "Device:Information": { "Type": "Apple", "Content": { "uuid12345": { "Name": "IOS", "Version": "14.4" } } } } }     I'd like to generate a table like below out of all such log messages - deviceId Name Version uuid12345 IOS 14.4 uuid12346 Android 8.1   I am aware that a table of fields can be easily created using table command or stats (to get counts by Name and Version), however the problem with this log message structure is that the nested json path `details.Device:Information.Content` contains a key with value `uuid12345` which is dynamic in nature. Therefore, a query like this doesn't work as I need since the wildcard character seem to create one column for each interpreted value like `details.Device:Information.Content.uuid12345.Name`, `details.Device:Information.Content.uuid12346.Name`, `details.Device:Information.Content.uuid12345.Version`, `details.Device:Information.Content.uuid12346.Version` -   | table deviceId, details.Device:Information.Content.*.Name, details.Device:Information.Content.*.Version   Is it possible to get this information extracted into a table like I described above? Would it be possible to extract `Name` and `Version` as fields so that I don't have to use full json path in table or stats command? Thanks for your help in advance.   ... View more
Contact Me