Hi all, I am very new to Splunk and trying to learn it. Following is my JSON: {         TrainID=AA11           TrainData: [                                     {                               ConnectingTrain: {                                                                 TR1: {                                                                             connectionTime: 59                                                                              TotalPassengers: 44                                                                          },                                                                     }                                    }                           ]            connectionTime : 38 } Here I want to print the value of connection time which is under TR1 and not the one that is a duplicate variable having a different value. Appreciate any pointers here.   Thanks, Chetan ... View more

Hi all, I am trying to run a basic search where I am trying to print table based on where and like() condition. But its not working. Following is a query. It is always showing 0 results. index="traindetails" sourcetype=* | eval trainNumber="1114" | eval train2 = A_BCD_1114_EFG | where like(train2,"%$trainNumber$%") | table trainNumber,train2 I also tried following but no luck. | where like(train2,"%"+$trainNumber$+"%") can someone please help? Thanks ... View more

Hi all, To give a problem background, I am trying to run a map command inside a search to get some values. THE JSON I am trying to access (sample below) has nested JSONs where I only need to read and derive value for the matched block. But as of now, my table command prints 3 rows instead of one (one row for each nested  JSON). I would like to print only the matching JSON block and ignore the other. I think rex and spath will be required here but it was still printing 3 rows as the final output but I need to print only 1 row. Not sure how to use them correctly to get the results. Please help. my sample search: Index=Dummy X.id=AA11 | eval version=X.version | eval connTrain=X.conTrainId----(value is TR2) | map Index=ABC Y.TrainID=AA11 Y.version=$version$ Sample JSON is given below. In this case, I need to only access TR2 (second block) and print its time and passenger value. In real-time, there can be only 1 JSON block or many and matching block can be at any location in case of multiple blocks. { TrainID=AA11 "TrainData": [ { "ConnectingTrain": { "TR1": { "connectionTime": "59", "TotalPassengers": "44", }, "TR2": { "connectionTime": "33", "TotalPassengers": "47", }, "TR3": { "connectionTime": "51", "TotalPassengers": "27", } } } ] } ... View more