As shown below I have only two events present on my index
But when i execute the below search query
index = **** |rex field=_raw "(?msi)(?<json_field>\{.+\}$)" | spath input=json_field |rename SCMSplunkLog.SCMFailureLog.appName as APPNAME,SCMSplunkLog.SCMFailureLog.eventType as EVENTTYPE,SCMSplunkLog.SCMFailureLog.payload.level as LEVEL,SCMSplunkLog.SCMFailureLog.payload.errorDescription as ERRORDESCRIPTION,SCMSplunkLog.SCMFailureLog.payload.startTime as STARTDATE,SCMSplunkLog.SCMFailureLog.payload.endTime as ENDDATE |where APPNAME!="" and LEVEL="ERROR"|table APPNAME,EVENTTYPE,STARTDATE,ENDDATE,LEVEL,ERRORDESCRIPTION
I was getting duplicate entries on result table as below
Can anyone please help me with this.
Edited:
Attached sample json:
{
"SCMSplunkLog" : {
"SCMFailureLog" : {
"appName" : "Testing_splunk_alerts_log",
"eventType" : "Testing_splunk_alerts_log",
"payload" : {
"level" : "ERROR",
"startTime" : "2022-04-12T13:57:49.156Z",
"successCount" : 0,
"failureCount" : 0,
"publishedCount" : 0,
"errorCode" : 0,
"errorDescription" : "ERROR: relation \"test.testLand\" does not exist\n Position: 8",
"sourceCount" : 0,
"endTime" : "2022-04-12T13:57:54.483Z"
}
}
}
}
I tried the same that you have. It seems working as expected.
| makeresults | eval _raw="{
\"SCMSplunkLog\" : {
\"SCMFailureLog\" : {
\"appName\" : \"Testing_splunk_alerts_log\",
\"eventType\" : \"Testing_splunk_alerts_log\",
\"payload\" : {
\"level\" : \"ERROR\",
\"startTime\" : \"2022-04-12T13:57:49.156Z\",
\"successCount\" : 0,
\"failureCount\" : 0,
\"publishedCount\" : 0,
\"errorCode\" : 0,
\"errorDescription\" : \"ERROR: relation \"test.testLand\" does not exist\n Position: 8\",
\"sourceCount\" : 0,
\"endTime\" : \"2022-04-12T13:57:54.483Z\"
}
}
}
}"
