Splunk Search

Parse field from JSON logs and build a stats table with data

gabarrygowin
Path Finder

Hi all,

Very close with the offerings in other JSON/SPATH posts but just not getting it done.

We have a JSON formatted log coming into Splunk that gives a ton of data on our servers. One of them being a 'metal' field that we classify our systems by. We'd like to parse that values.metal field and build a stats table (?) that shows how many systems are in each metal.

The current search (which isn't working well) is 'index=unix source="/var/log/facts/*" metal | stats distinct_count(host) by values.metal

Here's some of the JSON file:

{
"name": "toritsgitvlp01.xx.com",
"values": {
"aio_agent_build": "1.7.2",
"aio_agent_version": "1.7.2",
"architecture": "x86_64",
"augeas": {
"version": "1.4.0"
},
......
},
"memoryfree": "6.76 GiB",
"memoryfree_mb": 6918.28125,
"memorysize": "7.63 GiB",
"memorysize_mb": 7815.03125,
"metal": [
"dirt"
],
.......

Any help MUCH appreciated.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The key verb you are looking for is spath.
http://docs.splunk.com/Documentation/Splunk/6.3.3/SearchReference/Spath

Here are a couple of threads that show pretty clearly how to use spath to get data out of a JSON, with run-anywhere samples and step by step explanations.

https://answers.splunk.com/answers/525678/parse-json-series-data-into-a-chart.html
https://answers.splunk.com/answers/492158/extracting-data-from-complicated-json-match-a-valu.html

0 Karma

gabarrygowin
Path Finder

Hey DalJeanis,

Thanks for the reply. Still not getting anywhere with the examples and was using the Doc prior. Something just not functioning here.

Here's latest syntax based on the example you provided:

index=unix source="/var/log/facts/*" | spath input=values.metal path="[]" | rename "[]" as METAL | mvexpand METAL | spath input=METAL | stats distinct_count(host) by METAL

Results = no metals grabbed.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...