×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
janesh222
Engager
Member since: ‎03-24-2024
‎03-26-2024
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-24-2024
Activity Feed
View All

Re: Splunk not able to extract fields properly

by in Splunk Search
‎03-25-2024 08:50 PM
‎03-25-2024 08:50 PM
Thanks a lot yuanli,    That worked , you are a genuis. I thought I could never structure it in splunk.  I did speak to the dev team , apparently the json is structured in that way to feed a particular dashboard system that they use. So it has to be in that structure for that system to consume. However they have agreed to update the structure in the next release which could be a few months away (6 months atleast) . So in the mean time I could work with this bad json until then.    Thanks  a lot again. I had searched in splunk for something like this before and havent seen anything.  ... View more

Splunk not able to extract fields properly

by in Splunk Search
‎03-24-2024 05:04 PM
‎03-24-2024 05:04 PM
Hi Splunk Experts,  I have some data coming into splunk which has the following format:  [{"columns":[{"text":"id","type":"string"},{"text":"event","type":"number"},{"text":"delays","type":"number"},{"text":"drops","type":"number"}],"rows":[["BM0077",35602782,3043.01,0],["BM1604",2920978,4959.1,2],["BM1612",2141607,5623.3,6],["BM2870",41825122,2545.34,7],["BM1834",74963092,2409.0,8],["BM0267",86497692,1804.55,44],["BM059",1630092,5684.5,0]],"type":"table"}]   I tried to extract each field so that each value  corresponds to id,event,delays and drops as a table using the below command.    index=result | rex field=_raw max_match=0 "\[\"(?<id>[^\"]+)\",\s*(?<event>\d+),\s*(?<delays>\d+\.\d+),\s*(?<drops>\d+)" | table id  event delays drops    I get the result in table format , however it spits out as one whole table and not individual entries and I cannot manipulate the result.  I have tried using mvexpand , however it can only do for one value, so have not been helpful as well.    Does anyone know how we can properly get the table in splunk .  ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎03-26-2024 05:06 AM
Karma given to
View All