Is there an example that shows how to iterate the extraction of json objects using Splunk query language?
The spath command documentation shows an example but it is only for 2 key names
http://docs.splunk.com/Documentation/Splunk/6.0.1/SearchReference/Spath
I need to create a splunk query construct that iterates the json objects found in the following log event and then aggregate as follow:
Splunk main construct |stats sum(total) as total sum(Fails) as Fails sum(TimeOuts) as TimeOuts by client
Is there a way to do it in Splunk query language?
Json event:
[
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "hello.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
{
"_time": "2014-02-17T18:15:00.000+00:00",
"Total": "194118",
"Bad": "7373",
"mean": "65.28",
"Fails": "10",
"client": "HYO.com",
"TimeOuts": "0",
"Good": "194108",
"Service": "4u"
},
]
Thanks ,
Lp
As another approach, because you have nice json events with a timestamp, and no sub level json.
Why not defining a sourcetype that will break your json in events each time you reach a new line with "{"
then you will have all your events separated, and can use spath to get your fields extracted.
example : http://answers.splunk.com/answers/80741/event-break-json
I can assure you that my regex is correct.
yannK,
I think that the problem is that the json objects are not split into events. Therefore, any aggregation function will not work as expected.
yannK,
Now, I am able to extract all the json key values as expected. However, I cannot aggregate using the stats function example presented in the question. The results are incorrect. Any idea?
Thanks.
I should have thought about this solution.