Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Spath key with period in it

mrstrozy
Path Finder
‎01-24-2019 04:46 PM

Hi All,

I am dealing with a key that has a period in it. I am trying to figure out how to use spath to extract it but I haven't had any luck. Here is an example of what the data would look like:

Event:

apples: {
granny.smith: {
color: "green",
crunchy: "true"
}
}

In this case I would like to extract "granny.smith" as a field but I am unable to.

Any help would be much appreciated.

Thanks!

0 Karma
Reply

hcanivel_splunk
Splunk Employee
Splunk Employee
‎01-29-2019 12:51 AM

First of all, I don't think the formatting is correct. Your field of granny.smith should certainly be wrapped by quotes to be read properly (try double quotes). I would recommend using any sort of coding library to help do this for you. But, even if the event data was printed in a proper format, you'd need to extract your fields somehow.

I would recommend either of two solutions, presuming your event data is completely in JSON format:

  1. Create a custom sourcetype props stanza and specify for KV mode to JSON:

[sourcetype]
KV_MODE = json

  1. Use spath command within your search

*SPL* | spath

Either way, once you have those fields, how you can reference these fields thereafter, you'll need to use single quotes for any sort of calculated field manipulation. In your case, if if the fields were indeed extracted and you wanted to search against it, here's an SPL query sample:

index=main 'granny.apple.color' != "green"

Give that a shot.

0 Karma
Reply

niketn
Legend
‎01-24-2019 06:45 PM

@mrstrozy do you need granny.smith as a field? It will have a nested JSON in it. Actual fields would be granny.smith.color with value green as per your data. This should work out of the box. Following is an example based on sample data provided:

| makeresults
| eval _raw="{
    \"apples\": {
        \"granny.smith\": {
                \"color\": \"green\",
                \"crunchy\": \"true\"
            }
        }
    }"
| spath
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...