I have some json events which look similar to the example below. Key to my question is the events[] array which contains a number of things of interest.
I can summarise all data neatly using filters such as | top events{}.command
but I'd like to be able to do statistics and time graphing on only those events where type="request"
. I have looked at spath and I'm uncertain it is what I need, but I am happy to be corrected.
How can I select only the request
events and do further processing on them?
An example of the json (this is interpreted fine by Splunk and it parses out the fields correctly):
{[-]
id : "guidguidguid",
events : [
{[-]
type : "request",
command : "jump",
args : "10",
... more ...
},
{[-]
type : "response",
command : "wobble",
args : "20",
... more ...
}
{[-]
type : "response",
command : "run",
args : "10",
... more ...
}
... more ...
],
.. other key-value pairs and arrays ..
}
There may be multiple request/response sections per Splunk event, or there might just be requests or just responses.
See this answer: http://splunk-base.splunk.com/answers/63559/multiple-events-and-multiple-key-value-pairs-one-being-t.... So a search for you might be:
<yoursearch>|spath|rename events{}.type as event_type|rename events{}.command AS event_command|eval x=mvzip(event_type,event_command)|mvexpand x|eval x=split(x,",")|eval evt_type=mvindex(x,0)|eval evt_cmd = mvindex(x,1)|where evt_type=="request"|stats count by evt_cmd
See this answer: http://splunk-base.splunk.com/answers/63559/multiple-events-and-multiple-key-value-pairs-one-being-t.... So a search for you might be:
<yoursearch>|spath|rename events{}.type as event_type|rename events{}.command AS event_command|eval x=mvzip(event_type,event_command)|mvexpand x|eval x=split(x,",")|eval evt_type=mvindex(x,0)|eval evt_cmd = mvindex(x,1)|where evt_type=="request"|stats count by evt_cmd
This works great where I just need two of the values from the original data, thanks.
Perhaps a better long term solution is to change the data input format so they form distinct Splunk events.