×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
adikrhd
Path Finder
Member since: ‎07-07-2023
‎03-27-2024
Community Statistics
Posts 18
Solutions 1
Karma Given 9
Karma Received 1
Member Since ‎07-07-2023
Activity Feed
View All

Re: How do I extract key values from a json object...

by in All Apps and Add-ons
‎04-13-2024 01:15 AM
‎04-13-2024 01:15 AM
Small tweak to the regex: (removing two space characters from the second-to-last line) | makeresults | eval _raw = "{\"orderNum\":\"1234\",\"orderLocation\":\"demoLoc\",\"details\":{\"key1\":\"value1\",\"key2\":\"value2\"}}" | spath | spath input=_raw path=details output=hold | rex field=hold "\"(?<kvs>[^\"]*\"*[^\"]*\"*[^\"]*\"*)\"" max_match=0 | stats values(*) as * by kvs | rex field=kvs "(?<key>[^\"]*)\":\"(?<value>[^\"]*)" max_match=0 | table orderNum key value orderLocation   If the value can be an escaped JSON string, then indeed you need to be more crafty with the regex. E.g.: | makeresults | eval _raw = "{\"orderNum\":\"1234\",\"orderLocation\":\"demoLoc\",\"details\":{\"key1\":\"{\\\"jsonvalue\\\":\\\"jsonvaluevalue\\\",\\\"jsonvalue2\\\":\\\"jsonvaluevalue2\\\"}\",\"key2\":\"value2\"}}" | spath | spath input=_raw path=details output=hold | rex field=hold "(?<kvs>\"[^\"]*\":\"{?[^}]*}?\")" max_match=0 | stats values(*) as * by kvs | rex field=kvs "(?<key>[^\"]*)\":\"(?<value>{?[^{}]*}?)\"" max_match=0 | table orderNum key value orderLocation ... View more

Re: Fetching statistics: Unique discrepancy detail...

by in Splunk Search
‎07-18-2023 10:44 PM
‎07-18-2023 10:44 PM
@yuanliu , I was able to achieve it through this; I missed the part where the value is a multivalued field. After using mvmap, it worked fine.     | rex field=value mode=sed "s/.+=> *//" | eval value = mvmap(value, if(match(value, "#DEL|null"), value, "others")) | stats values(Unique_key) as Unique_key count by value | table Unique_key value count | rename value as "#DEL or null or others"       ... View more

Re: List all unique keys present under certain jso...

by in Splunk Search
‎07-09-2023 05:47 PM
1 Karma
‎07-09-2023 05:47 PM
1 Karma
Hey @GaetanVP  I tried this same query using makeresult as suggested by @yuanliu , and it worked perfectly fine, I am not quite sure why it is not working with my production raw data. due to some security reasons I may not be able to provide you raw data screenshot but it looks something like this   { "severity": "INFO", "time": "2023-07-09 18:53:53.930", "Stats": { "discrepancy" : 10 }, "discrepancyDetails": { "record1/0": "#DEL", "record2/1": "#DEL", "record3": "expected => actual", } }   I want all unique discrepancyDetails and its count, anyway, I was able to get it through this query   index="demo1" sourcetype="demo2" | search discrepancyDetails AND Stats | spath "Stats.discrepancy" | search "Stats.discrepancy" > 0 | stats count(discrepancyDetails.*) as discrepancyDetails.* | transpose     I have some follow up queries on this. I may create a new thread for the same. Thanks for your prompt response, really appreciated! ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-27-2024 01:22 AM
Karma from
View All
Karma given to