Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Differentiate between two fields with the same name in two different jsons

seomaniv
Explorer
‎04-09-2019 10:42 AM

So I have a single log event that captures the request and the response JSONs. As a user I'd like to be able to write a query that will capture the fields from the JSONs, but the field names are the same in the request and the response, so when I search:

index="myIndex" sourcetype="mySourceType" "Keywords to search for only request and response events" | 
rex field=_raw "This event received the following request (?<requestJson>.*) and sent the following response (?<responseJson>.*)" | 
spath input=requestJson | 
spath input=responseJson

When I get the results of this search, I get one field with two values (request and response values):

"clientId":[123, 123] <-----searched by
"name":[null, "Joe Schmoe"]
"ssn":[null, "123-45-6789"]

.....etc.

What I'd really like to be able to do is get a response more like:

"request.clientId":123
 "request.name":null
 "request.ssn":null

"response.clientId":123
 "response.name":"Joe Schmoe"
 "response.ssn":"123-45-6789"

I tried renaming the fields in "requestJson" after using spath:

spath input=requestJson | rename * as request.*

but that doesn't seem to work unless I use at least one letter before the wildcard (*), such as:

spath input=requestJson | rename a* as request.*

How can I rename these fields generated dynamically by spath-ing my JSONs? Or, alternative I may be missing: how can I differentiate between the request and response values even though they have the same field name?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎04-09-2019 11:43 AM

@seomaniv add the following eval before spath commands.

| eval requestJson="{\"request\":".requestJson."\}", responseJson="{\"response\":".responseJson."\}"

Following is a run anywhere search example based on the sample data provided:

| makeresults 
| eval _raw="This event received the following request {\"clientId\":123,\"name\":null,\"ssn\":null} and sent the following response {\"clientId\":123,\"name\":\"John\",\"ssn\":\"Doe\"}"
| rex "This event received the following request (?<requestJson>.*) and sent the following response (?<responseJson>.*)"
| eval requestJson="{\"request\":".requestJson."\}", responseJson="{\"response\":".responseJson."\}"
| spath input=requestJson
| spath input=responseJson
| fields - _raw requestJson responseJson
| fields request* response*

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎04-09-2019 11:43 AM

@seomaniv add the following eval before spath commands.

| eval requestJson="{\"request\":".requestJson."\}", responseJson="{\"response\":".responseJson."\}"

Following is a run anywhere search example based on the sample data provided:

| makeresults 
| eval _raw="This event received the following request {\"clientId\":123,\"name\":null,\"ssn\":null} and sent the following response {\"clientId\":123,\"name\":\"John\",\"ssn\":\"Doe\"}"
| rex "This event received the following request (?<requestJson>.*) and sent the following response (?<responseJson>.*)"
| eval requestJson="{\"request\":".requestJson."\}", responseJson="{\"response\":".responseJson."\}"
| spath input=requestJson
| spath input=responseJson
| fields - _raw requestJson responseJson
| fields request* response*

Please try out and confirm!

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

seomaniv
Explorer
‎04-09-2019 11:49 AM

Actually I ended up figuring it out, too. What I did was concatenate both fields into a single field, then ran spath on that field and it did the work itself. 

eval toSpath="{\"request\":".requestJson.",\"response\":".responseJson | 
spath input=toSpath

Same thing you did, basically. Thanks niketnilay!

Reply
Solved! Jump to solution

niketn
Legend
‎04-09-2019 12:09 PM

@seomaniv ,Anytime! Glad you figured it out 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...