Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

json output read single value when there are multiple for a segment

surekhasplunk
Communicator
‎10-28-2019 03:25 AM

Hi,
I have a json output which is getting indexed correctly.
And i am collectng ip from remotemanagement{}.ip . But for some cases i have multiple ips under remotemanagement. In those cases i need to select only that one ip where protocol.name is NOT console. If there are 3 ips and for one the protocol.name is console then leave it and out of the rest 2 take any one ip.
As you can see from the screen shot one has protocol.name = console and for the third one protocol.name = ssh
So here will need to eval ssh_ip=192.0.32.38

And then use it in my below query to filter only those records.

index="unicorn" ( "infrastructure{}.type"=critical OR "infrastructure{}.type"=vital ) |mvexpand infrastructure{}.name |rename assetId as "AssetID" infrastructure{}.name as "Infrastrucure Name" name as Nom remoteManagement{}.ip as Ip realm{}.name as Type | table "Infrastrucure Name" "AssetID" Nom Ip Type |mvexpand Ip | where Ip=ssh_ip

how to calculate ssh_ip here ? as i tried to use
| spath "remoteManagement{}.protocol.name" | search "remoteManagement{}.protocol.name"!=console
OR
| spath "remoteManagement{}.protocol.name" | search "remoteManagement{}.protocol.name"=ssh

But its giving all the 3 ips.

Please help.

Thanks

Tags (2)
Preview file
1 KB
Preview file
1 KB
0 Karma
Reply

to4kawa
Ultra Champion
‎01-10-2020 04:48 PM 
index="unicorn"
| spath assetId 
| search assetId=MA9624121 
| lookup Input_splunk_all.csv RTR as name 
| spath output=manage remoteManagement{} 
| table name manage
| stats values(name) as name by manage
| spath input=manage

Hi, @surekhasplunk
How about this?

0 Karma
Reply

woodcock
Esteemed Legend
‎11-09-2019 01:41 PM

I think that I finally get it. Try adding this to drop the console values from the multivalued manage field:

... | eval manage = mvfilter(NOT match(manage, "\"name\":\"console\""))
0 Karma
Reply

surekhasplunk
Communicator
‎10-30-2019 04:43 AM

Hi @woodcock and @aberkow,

Could you please help me here. As i have uploaded the images now.

Thanks in advance.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-30-2019 06:30 AM

Did you notice where I said NOT to use images? Post TEXT.

0 Karma
Reply

surekhasplunk
Communicator
‎10-31-2019 01:47 AM

Hi @woodcock,

Below is what i am receiving under remoteManagement which i am evaluating for Ip.
Now my requirement is i need to get only the ip where protocol.name=ssh

 remoteManagement:  [   [-] 
    {   [-] 
     additionalInformation:  null   
     device:     7490   
     id:     18450  
     ip:     184.7.138.72   
     login:  HASDf  
     password:   null   
     plainTextURL:   null   
     port:   7013   
     protocol:  {   [-] 
         name:   console    
    }   
    }   
    {   [-] 
     additionalInformation:  null   
     device:     7490   
     id:     18451  
     ip:     192.0.32.38    
     login:  matricule SG   
     password:   null   
     plainTextURL:   null   
     port:   443    
     protocol:  {   [-] 
         name:   https  
    }   
    }   
    {   [-] 
     additionalInformation:  null   
     device:     7490   
     id:     18449  
     ip:     192.0.32.38    
     login:  matricule SG   
     password:   null   
     plainTextURL:   null   
     port:   22 
     protocol:  {   [-] 
         name:   ssh    
    }   
    }   
]
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎10-31-2019 01:50 AM

Hello @surekhasplunk

Kindly post _raw event.

0 Karma
Reply

surekhasplunk
Communicator
‎10-31-2019 09:14 AM

For example:
Below is my query and i know for this asset id i have 3 values under remoteManagement{}.ip

index="unicorn"| spath assetId | search assetId=MA9624121 |lookup Input_splunk_all.csv RTR as name |spath output=manage remoteManagement{} | table name manage

Below is the output. 

name    manage
HFSOFW401   
{"id":18450,"protocol":{"name":"console"},"ip":"184.7.138.72","port":"7013","additionalInformation":null,"plainTextURL":null,"login":"HFSOFW401","password":null,"device":7490}
{"id":18451,"protocol":{"name":"https"},"ip":"192.0.32.38","port":"443","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7490}
{"id":18449,"protocol":{"name":"ssh"},"ip":"192.0.32.38","port":"22","additionalInformation":null,"plainTextURL":null,"login":"matricule SG","password":null,"device":7490}
0 Karma
Reply

woodcock
Esteemed Legend
‎10-28-2019 04:30 PM

Show us entire sample events and a mockup of the desired output.

0 Karma
Reply

woodcock
Esteemed Legend
‎10-28-2019 06:09 PM

And by show I DO NOT mean a picture; send us plain text.

0 Karma
Reply

surekhasplunk
Communicator
‎10-28-2019 10:31 PM

hi @aberkow and @woodcock ,

I am so sorry for the inconvenience, hope you can see the images now.

0 Karma
Reply

aberkow
Builder
‎10-28-2019 11:06 AM

I don't see a screenshot - can you give a sanitized version of the result up to where you're happy with the output to that point? (i.e. what is the result before you're trying your spath command)

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...