Combine fields created by spath

SPETZD11 · ‎03-23-2016

I have a log file multiple service requests/responses that I am logging in JSON. I am able to take the those requests and responses, run them through mvexpand and spath, and come out with all of the fields being searchable. So far so good.

My problem is that there are some shared fields across the different services that I would like to combine to make searching a bit easier, but which have different field names from the spath.

soapenv:Envelope.soapenv:Body.aff:service1req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId 
soapenv:Envelope.soapenv:Body.aff:service2req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId 
soapenv:Envelope.soapenv:Body.aff:service3req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId
soapenv:Envelope.soapenv:Body.ns3:service1resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId
soapenv:Envelope.soapenv:Body.ns3:service2resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId
soapenv:Envelope.soapenv:Body.ns3:service3resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId

I've got a basic regex that can find all 6 of these : "soapenv:Envelope.soapenv:Body.[\w:.]+:sourceLogicalId"

The main issue I am having is figuring out how to use that regex to actually combine the fields. My last attempt was
sourcetype=source | mvexpand soapEnvelope | spath input=soapEnvelope | rex field=_raw "(?P<sourceLogicalID>soapenv:Envelope.soapenv:Body.[\w:.]+:sourceLogicalId)"

but I don't see any new field added like I would expect. I'm sure that I'm getting the syntax wrong somewhere in here, I just haven't been able to find anything online that explains what it is.

somesoni2 · ‎03-23-2016

Check if you really want to use _raw to extract that field in rex. After spath, the values might be available in a different field. Your regex works with your sample data just fine. See this run anywhere sample.

| gentimes start=-1 | eval temp="soapenv:Envelope.soapenv:Body.aff:service1req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId soapenv:Envelope.soapenv:Body.aff:service2req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId soapenv:Envelope.soapenv:Body.aff:service3req.sys:SystemInfo.sys:ServiceContext.sys:sourceLogicalId soapenv:Envelope.soapenv:Body.ns3:service1resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId soapenv:Envelope.soapenv:Body.ns3:service2resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId soapenv:Envelope.soapenv:Body.ns3:service3resp.ns2:SystemInfo.ns2:ServiceContext.ns2:sourceLogicalId" | table temp | makemv temp | mvexpand temp | rename temp as _raw  | rex field=_raw "(?P<sourceLogicalID>soapenv:Envelope\.soapenv:Body\.[\w:.]+:sourceLogicalId)"

If you just want to create a new field which will have values from these 6 fields, (assuming each event has values for one of the 6 fields listed), try this

sourcetype=source  | mvexpand soapEnvelope | spath input=soapEnvelope | rename "soapenv:Envelope.soapenv:Body.*:sourceLogicalId" as sourceLogicalID

SPETZD11 · ‎03-24-2016

I tried doing the renaming as well, but when I did or used your example I get a "Wildcard mismatch" error in the rename command. I am also not sold on the _raw thing, it was really just something I saw from an example while trying to figure this out.

somesoni2 · ‎03-24-2016

Ok.. that was my mistake, the rename would not work that way. Again keeping my assumption about the availability of the fields in each row, what type of values do these fields hold?

SPETZD11 · ‎03-24-2016

They all hold string values. The logical ID varies depending on who is calling the service, but is consistent for each consumer. My main goal here is to say "Show me all of the transactions made by X" and have it show any results from any of the three services. I could do that using a bunch of ORs and listing out the full spath name of each of the six types of logical ID, but that feels incredibly clunky.

Combine fields created by spath

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!