- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Dropping blank paths in a JSON search
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dropping blank paths in a JSON search
Hi,
I am doing some experimentation wirh regards JSON events. I have two events loaded:
{
"event":
{
"time": "2019-02-10T05:52:03",
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
}
and
{
"action":
{
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
,
"action":
{
"StatsMonitorx": {
"time": "2019-01-10T06:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 52
}
}
}
The index I am using is 'conship'
I have a search:
index=conship | spath
path=event.StatsMonitor
| rename event.time as time, event.StatsMonitor.* as *
| table time ActiveUsers
which is returning both events as results, but has duplicate data coming from the first (which is the correct data).
I would have thought:
spath path=event.StatsMonitor
would have eliminated the data altogether from the second event. Perhaps I could get a blank line, but why am I getting a duplicate from the correct event.
Thanks,
Stan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello @brutecat,
the bellow does the trick
| makeresults
| eval _raw="{
\"event\":
{
\"time\": \"2019-02-10T05:52:03\",
\"StatsMonitor\": {
\"time\": \"2019-02-10T05:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 26
}
},
\"action\":
{
\"StatsMonitor\": {
\"time\": \"2019-02-10T05:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 26
}
}
,
\"action\":
{
\"StatsMonitor\": {
\"time\": \"2019-01-10T06:52:03\",
\"name\": \"StatsMonitor\",
\"LocalTimetDelta\": 0,
\"CaptureTimetDelta\": 0,
\"DeltaTimeAuditLog\": 0,
\"ActiveUsers\": 52
}
}
}"
| spath
| rename event.time as time
| spath path=event
| rename event.StatsMonitor.* as *
| table time ActiveUsers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brutecat
Can you please share sample events using precode block (101010 in text editor) ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
{
"event":
{
"time": "2019-02-10T05:52:03",
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
}
AND
{
"action":
{
"StatsMonitor": {
"time": "2019-02-10T05:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 26
}
}
,
"action":
{
"StatsMonitorx": {
"time": "2019-01-10T06:52:03",
"name": "StatsMonitor",
"LocalTimetDelta": 0,
"CaptureTimetDelta": 0,
"DeltaTimeAuditLog": 0,
"ActiveUsers": 52
}
}
}
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry - I realise the search was also cobbled. The asterisk was dropped:
index=conship | spath
path=event.StatsMonitor
| rename event.time as time, event.StatsMonitor.* as *
| table time ActiveUsers
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
