cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Karanreddy
Engager
Member since: ‎05-03-2023
‎05-04-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎05-03-2023
Activity Feed
View All

Splunk search query to create a table from JSON se...

by in Splunk Search
‎05-04-2023 08:00 AM
‎05-04-2023 08:00 AM
I am relatively new to Splunk search and I am trying to build a table from my splunk search results. Can someone please help me to build a table using following JSON My search results as follows ``` { [-] docker: { [+] } kubernetes: { [+] } log: LOGGER {"name":"some text here","pathname":"/some/path","timestamp":"2023-05-03T20:35:06Z","action":"pageview","payload":{"category":"cloths","country":"US","appEnv":"production"},"uID":"0023493543"} stream: stdout } ``` raw text: ``` { "stream": "stdout", "log": "LOGGER {\"name\":\"Some text here\",\"pathname\":\"/some/path\",\"timestamp\":\"2023-05-04T10:44:05Z\",\"action\":\"pageview\",\"payload\":{\"category\":\"cloths\",\"country\":\"US\",\"appEnv\":\"production\"},\"uID\":\"0023493543\"}", "docker": { "container_id": "xxxxxxxxxxxx" }, "kubernetes": { "container_name": "xxxxxx", ..... }, "labels": { ..... }, "namespace_id": "xxxx-xxx-xxx-xxx", "namespace_labels": { "application-id": "48928423", "namespace": "849328932-243232xxxx", ........ } } } ``` From this I would like draw the table as | uID | pathname | category | eventName | country | timestamp | | 0023493543 | /some/path | cloths | some text here | US | | ---- | ---- | ---- | ---- | ---- | ---- |   I have tried building table using spath, eval, extract commands but none of tries gives me any desired result. If its a plain JSON object in log field, I managed to build a query for few selected fields, but as its a text String and JSON in it, I am not sure, how to extract my fields. I am expecting a table as shown above, later I can modify query for my complex result. I have tried the following query, ``` BASE SEARCH | spath path=log | rex field=log max_match=0 "name\W+(?<name>[^\"]+)" | rex field=log max_match=0 "pathname\W+(?<pathname>[^\"]+)" | rex field=log max_match=0 "timestamp\W+(?<timestamp>[^\"]+)" | rex field=log max_match=0 "category\W+(?<category>[^\"]+)" | rex field=log max_match=0 "country\W+(?<country>[^\"]+)" | rex field=log max_match=0 "uID\W+(?<uID>\w+)" | table uID, pathname, category, name, country, timestamp ``` which gives me desired result, except name field. It gives me additional text as ``` some text here some/path ``` but I need only `some text here` ... View more
Labels

How to create a table from JSON?

by in Splunk Search
‎05-03-2023 04:27 PM
‎05-03-2023 04:27 PM
Hi,  Can someone please help me to build a table using following JSON My search results  as follows      { [-] docker: { [+] } kubernetes: { [+] } log: LOGGER {"name":"some text here","pathname":"/some/path","timestamp":"2023-05-03T20:35:06Z","action":"pageview","payload":{"category":"cloths","country":"US","appEnv":"production"},"uID":"0023493543"} stream: stdout }     From this I would like draw the table as  uID pathname category eventName country 0023493543 /some/path cloths some text here US Thanks in advance ... View more
Labels
Contact Me
Online Status
Offline
Date Last Visited
‎05-04-2023 04:52 AM
Karma given to
View All