Splunk Search

Splitting or searching a MV JSON

moseisleydk
Path Finder

I have a json array like:

How can I search or split that? The search:

index=jira "issues{}.fields.customfield_14028"=521 | head 1 | stats sum("issues{}.fields.customfield_14233") by "issues{}.fields.summary"

gives all issues....also where issues{}.fields.customfield_14028"<>521

Tags (1)
0 Karma

anishinha
New Member

is it possible to extract a field from a result contained in a JSON field?
Ex; result of field payment.log: {"data":{"lancto_dto_list":,"sld_dt":{"lim":10.00,"sld_disp":37.80,"disp":40.80}}}
I need the last field "disp".

0 Karma

to4kawa
Ultra Champion
| makeresults
| eval _raw="payment.log: {\"data\":{\"lancto_dto_list\":,\"sld_dt\":{\"lim\":10.00,\"sld_disp\":37.80,\"disp\":40.80}}}"
| rex "disp.:(?<disp>[\d.]+)"
0 Karma

moseisleydk
Path Finder

Found it after some test and thanks to https://answers.splunk.com/answers/366957/how-do-i-get-splunk-to-extract-nested-json-arrays.html

index=jira | head 1 | spath output=x path=issues{} | fields - _raw | fields x | mvexpand x | spath input=x | rename fields{} as fields | mvexpand fields | search fields.customfield_14028=521 | table key,fields.summary,fields.customfield_12931.value,fields.customfield_12927,fields.customfield_14233,fields.customfield_12932.value,price

Give a nice table for all "events" where fields.customfield_14028=521

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @moseisleydk,

Can you please try this search?

index=jira "issues{}.fields.customfield_14028"=521 
| head 1 
| rename "issues{}.fields.customfield_14233" as customfield_14233, "issues{}.fields.summary" as summary
| eval tempField=mvzip(customfield_14233,summary) 
| stats count by _time,tempField
| eval customfield_14233=mvindex(split(tempField,","),0), summary=mvindex(split(tempField,","),1)
| stats sum(customfield_14233) by summary

Thanks

0 Karma

moseisleydk
Path Finder

Hi,

Thanks, it still "ignores" the

"issues{}.fields.customfield_14028"=521

and reports all issues, not only the

customfield_14028: 521

issues.

Kind Regards,

Normann

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

Can you please share sample events? use 101010 for same.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...