Getting Data In

Adding additional column after grouping for JSON records

technie101
Explorer

The incoming logs are stored in Splunk in a JSON format.

Example JSON records below.

Entry 1 :

{   data:[
    {
      "endpoint":"ep_1",
      "service":"service_1",
      "http_status_code":"500"
    },
    {
      "endpoint":"ep_2",
      "service":"service_1",
      "http_status_code":"500"
    },
    {
      "endpoint":"ep_3",
      "service":"service_2",
      "http_status_code":"503"
    }   ] }

Entry 2 :

{
  data:[
    {
      "endpoint":"ep_1",
      "service":"service_1",
      "http_status_code":"500"
    }
  ]
}

The expected output for my search should be something like :

alt text

When I search using the query:

host=mashery_production "data{}.http_status_code"= 5*| eval endpoint='data{}.endpoint' | eval service='data{}.service' | Stats Count("data{}.status") as Count, values(service), by endpoint | where Error_Count > 0

the output I get is :

alt text

which looks like the grouping is messed up. Please help.

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI technie101

Can you please try below search??

host=mashery_production "data{}.http_status_code"= inactive 
| rename data{}.endpoint as endpoint, data{}.service as service, data{}.status as status
| eval tempField=mvzip(mvzip(endpoint,service),status) 
| stats count by _time,tempField 
| eval endpoint=mvindex(split(tempField,","),0), service=mvindex(split(tempField,","),1), status=mvindex(split(tempField,","),1)
| search status="inactive"
| stats count by endpoint,service

Thanks

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI technie101

Can you please try below search??

host=mashery_production "data{}.http_status_code"= inactive 
| rename data{}.endpoint as endpoint, data{}.service as service, data{}.status as status
| eval tempField=mvzip(mvzip(endpoint,service),status) 
| stats count by _time,tempField 
| eval endpoint=mvindex(split(tempField,","),0), service=mvindex(split(tempField,","),1), status=mvindex(split(tempField,","),1)
| search status="inactive"
| stats count by endpoint,service

Thanks

View solution in original post

technie101
Explorer

Hi Kamlesh,

I had wrongly typed the json response which was not matching with the search query that I gave. Apologies. I've updated it now.

Coming to this suggestion, I've tried with the below and I don't see any results.

host=mashery_production "data{}.http_status_code"= 5* 
 | rename data{}.endpoint_name as endpoint, data{}.service_name as service, data{}.http_status_code as status
 | eval tempField=mvzip(mvzip(endpoint,service),status) 
 | stats count by _time,tempField 
 | eval endpoint=mvindex(split(tempField,","),0), service=mvindex(split(tempField,","),1), status=mvindex(split(tempField,","),1)
 | search status="5*"
 | stats count by endpoint,service
0 Karma

technie101
Explorer

Quick Update. I got the below working.

host=mashery_production "data{}.http_status_code"= 5* 
 | rename data{}.endpoint_name as endpoint, data{}.service_name as service, data{}.http_status_code as status | eval tempField=mvzip(mvzip(endpoint,service),status) | eval endpoint=mvindex(split(tempField,","),0), service=mvindex(split(tempField,","),1), status=mvindex(split(tempField,","),2)  | stats count by endpoint,service

The 2 changes were :

  1. Corrected the index on the last split on the temp field for status from 1 to 2. That must have been a type.
  2. Removed search status="5*"

Thanks a lot for the help.

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

HI technie101,
Great,
If It helps you then can you please accept this answer to close this question ??

Thanks

0 Karma

gjanders
SplunkTrust
SplunkTrust
 host=mashery_production "data{}.http_status_code"= inactive | eval endpoint='data{}.endpoint' | eval service='data{}.service' | Stats Count("data{}.status") as Count by endpoint, service | where Error_Count > 0

Perhaps? Using the values function is expected to provide multiple values, if you are trying to get a count with a value per endpoint/service then you would write something like the above...

Alerts for Splunk Admins https://splunkbase.splunk.com/app/3796/
Version Control for Splunk https://splunkbase.splunk.com/app/4355/
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!