Help extracting totalCount out of nested JSON

bhavya49 · ‎12-05-2019

{ [-]
   detailMap: { [-]
     critical: false
     result: 0
     totalCnt: 5
     txnCountWithIgnoredIRC: 0
     warning: false
   }
   id: 60300000000
   name: EBALL
}

I'm trying to extract totalCount out of the nested Json. I'm trying the below search to extract it:

index="pas" source="agent.log" | spath output=myCount path=detailMap{}.totalCnt | table myCount

When I'm running this search, myCount column is blank.
Please let me know how to improvise this search.

to4kawa · ‎01-01-2020

| makeresults
| eval _raw = "{ 
    \"detailMap\": { 
      \"critical\": \"false\",
      \"result\": \"0\",
      \"totalCnt\": \"5\",
      \"txnCountWithIgnoredIRC\": \"0\",
      \"warning\": \"false\"
    },
    \"id\": \"60300000000\",
    \"name\": \"EBALL\"
 }"
| spath

From this results,

index="pas" source="agent.log" 
| spath output=myCount path=detailMap.totalCnt 
| table myCount

It looks like the field name is different.

vnravikumar · ‎12-05-2019

Hi

Try this

| makeresults 
| eval temp="{
  \"detailMap\": {
    \"critical\": false,
    \"result\": 0,
    \"totalCnt\": 5,
    \"txnCountWithIgnoredIRC\": 0,
    \"warning\": false
  },
  \"id\": 60300000000,
  \"name\": \"EBALL\"
        }" 
| spath input=temp output=totalCnt path=detailMap{}.totalCnt | table totalCnt

Help extracting totalCount out of nested JSON

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!