Splunk Search
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to extract fields in a file?

dhirendra761
Contributor
‎07-29-2018 12:09 AM

I need to extract each filed in "monitoringdata" in file.
belo is sample of data:

{"@timestamp":"2018-07-27T16:06:28.025+05:30","@version":1,"logger_name":"ADNSMONITOR","thread_name":"priority-all-publishrevisiondownloadthread-CSDBL-S1KD-A350-HHJ-28-Jul-2018","level":"INFO","level_value":20000,"HOSTNAME":"ITEM-S66462","startTaskManDate":"1532687732198","endDate":"","start":"","error":"","attempt":"1","jobnorm":"JB1T40R011-DOWNLOAD","duration":"","stop":"","requestId":"01f965d4-d681-4f02-a349-44870765ed10","tasknorm":"","monitoringData":"{\"deliverableType\":null,\"docType\":null,\"acProgram\":null,\"docId\":null,\"revisionDate\":null,\"format\":null,\"entity\":null,\"customersRightStatus\":null,\"customersRightEventDate\":null,\"majorEvent\":null,\"emergency\":null,\"attachmentType\":null,\"attachmentIssueDate\":null,\"acknowledgment\":null,\"acknowledgmentDate\":null,\"productionOrder\":null,\"domain\":null,\"productKey\":\"#[A350]#HHJ#CSDBL##[PN1234]##\",\"itemId\":\"260_S1KD\",\"onlineAvailabilityData\":{\"type\":\"DownloadState\",\"status\":\"InProgress\",\"fromDate\":null,\"toDate\":null},\"acksStatus\":null}","functionalKey":"CSDBL-S1KD-A350-HHJ-28-Jul-2018","startPublicationDate":"1532687732198","jobSourceId":"IM01-SRDD","status":"IN_PROGRESS","appName":"ADNS-Taskman","appEnv":"dev","appProduct":"1T40"}

I have tried so many times. but always get monitoringdata as group of data fields.
link text
I need a new field like deliverableType, docType, acProgram and so on.

I am trying lot, but not succeed. Any help will be appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

493669
Super Champion
‎07-29-2018 06:36 AM

@dhirendra761, can you try below-

...| rex max_match=0 field=monitoringdata "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|table key, value|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table key value| transpose 0 header_field=key
 | fields - column

try this run anywhere search query-

|makeresults|eval monitoringdata="{\"deliverableType\":null,\"docType\":null,\"acProgram\":null,\"docId\":null,\"revisionDate\":null,\"format\":null,\"entity\":null,\"customersRightStatus\":null,\"customersRightEventDate\":null,\"majorEvent\":null,\"emergency\":null,\"attachmentType\":null,\"attachmentIssueDate\":null,\"acknowledgment\":null,\"acknowledgmentDate\":null,\"productionOrder\":null,\"domain\":null,\"productKey\":\"#[A350]#HHJ#CSDBL##[PN1234]##\",\"itemId\":\"260_S1KD\",\"onlineAvailabilityData\":{\"type\":\"DownloadState\",\"status\":\"InProgress\",\"fromDate\":null,\"toDate\":null},\"acksStatus\":null}"| rex max_match=0 field=monitoringdata "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|table key, value|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table key value| transpose 0 header_field=key
 | fields - column

View solution in original post

Reply
Solved! Jump to solution
Solution

493669
Super Champion
‎07-29-2018 06:36 AM

@dhirendra761, can you try below-

...| rex max_match=0 field=monitoringdata "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|table key, value|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table key value| transpose 0 header_field=key
 | fields - column

try this run anywhere search query-

|makeresults|eval monitoringdata="{\"deliverableType\":null,\"docType\":null,\"acProgram\":null,\"docId\":null,\"revisionDate\":null,\"format\":null,\"entity\":null,\"customersRightStatus\":null,\"customersRightEventDate\":null,\"majorEvent\":null,\"emergency\":null,\"attachmentType\":null,\"attachmentIssueDate\":null,\"acknowledgment\":null,\"acknowledgmentDate\":null,\"productionOrder\":null,\"domain\":null,\"productKey\":\"#[A350]#HHJ#CSDBL##[PN1234]##\",\"itemId\":\"260_S1KD\",\"onlineAvailabilityData\":{\"type\":\"DownloadState\",\"status\":\"InProgress\",\"fromDate\":null,\"toDate\":null},\"acksStatus\":null}"| rex max_match=0 field=monitoringdata "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|table key, value|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table key value| transpose 0 header_field=key
 | fields - column
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎07-29-2018 09:34 AM

Hi Thanks for the suggestion.
answer1 I got result (0) . Link: https://imgur.com/a/4p3ID6v
answer2: It gives result 1 for specifc filed. What if there are many monitoringdata in one single event.

I have 16 monitoringdata in my file.

Please suggest as well.

Thanks. 🙂

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎07-29-2018 10:34 AM

change fieldname as monitoringData and try again as field names are case sensitive

...| rex max_match=0 field=monitoringData "(?<key>\w+)\":\"?(?<value>\"?[^,\"]+)"|table key, value|eval b=mvzip(key,value)|mvexpand b| makemv b delim=","|eval key=mvindex(b, 0)| eval value=mvindex(b, 1)|table key value| transpose 0 header_field=key
  | fields - column
0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-29-2018 01:47 PM

Just a little addition to this: this method will make your Splunk explode once you put a lot of events through the mvexpand.
Here is a link https://answers.splunk.com/answers/319646/how-to-write-the-regex-to-extract-data-inside-squa.html to an answer doing the same using props.conf and transforms.conf

cheers, MuS

Reply
Solved! Jump to solution

dhirendra761
Contributor
‎07-30-2018 02:56 AM

Hi @MuS , Hi @493669,

Thanks for the answer, just one more quick if i need to export the report for monitorData based on itemId in json then what type of search i have to write.

Like i need whole monitorData for itemId (key="itemId ") whose value is 260_S1KD

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎07-30-2018 04:14 AM

if you made changes in props.conf and transforms.conf as suggested by @MuS then fields get extracted at search time then simply apply filter on itemId as shown below and export in JSON format-

sourcetype="logadns"|where itemId="260_S1KD"|table monitoringData
0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎08-29-2018 10:53 PM

Hi @493669 can i connect with you regarding some question on splunk.

Thanks.

0 Karma
Reply
Solved! Jump to solution

493669
Super Champion
‎08-29-2018 11:06 PM

you can connect me on mandalerajesh@yahoo.in

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎08-29-2018 11:14 PM

@493669 Thank you very much 🙂

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎07-30-2018 05:31 AM

Thank you very much @493669 and @MuS for your support.
:)

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎07-30-2018 05:32 AM

@493669 please post you comment in answer section so that I can mark as accepted

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎07-30-2018 10:28 PM

Hi Rajesh @493669
Do you have any idea on my another question:
Please have a look:
https://answers.splunk.com/answers/674429/not-monitored-similer-name-local-files-on-windows.html

Thanks

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎08-01-2018 12:12 AM

Hi @493669

In MonitorData , there are 25 keys(itemId, docType,.....)

and each key contains no of value(eg. itemId contains 100 different values) ....... can i extract each value as seprate event.
like itemId, doctype.

Please suggest as well. Thanks in advance.

0 Karma
Reply
Solved! Jump to solution

dhirendra761
Contributor
‎07-29-2018 12:18 AM

https://imgur.com/H46vjdK

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
li.common.scroll-to.top