Solved: How do you do a spath search that would search for...

bzsplunk54 · ‎04-01-2019

Hello,

I am trying to acquire some input for SPL parsing a JSON file using the |spath command. Here is an example of my JSON format.

{
"ip": "10.1.1.2",
"hostname": "Switch_1",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": false,
"ConnType": "cisco_ios",
"version": "15.2(2)E6",
"chassis_model": "WS-C2960",
"chassis_sn": "G0T1635R11M",
"slot_list": [
{
"sn": "G0T1635R11M",
"slot": "1",
"model": "WS-C2960"
}
],

{
"ip": "10.1.1.3",
"hostname": "Switch_2",
"function": "Switch Access",
"owner": "Doughnut Co.",
"vendor": "Cisco",
"dev_type": "Switch",
"ssh": true,
"ping": true,
"snmp": true,
"ConnType": "cisco_ios",
"version": "12.2(55)SE12",
"chassis_model": "WS-C2960S-48FPS-L",
"chassis_sn": "F0R1524Q11L",
"slot_list": [
{
"sn": "F0R1524Q11L",
"slot": "1",
"model": "WS-C2960S-48FPS-L"
}
],

==========================================================================
I need to focus on the model (chassis_model) with a correlation to the IOS (version). I know that I could add a spath statement and then a search statement for chassis_model and version, but how do I incorporate multiple searches for chassis_model and version.

Index=new dev_type=switch sourcetype="_json"  ("WS-C2960*") 
    ping!=false last_status="connected" earliest =-1d@d latest=now 
| spath version 
| search version="12.2(55)SE12"

I need to be able to search for multiple switch revisions of the same switch running different IOS versions. This will work at the beginning of the search ** ("WS-C2960*" version="12.2(55)SE12") OR ("WS-C2960S*" version!="15.2(2)E6)** However, I want to be able to use spath as the search flow is easier to follow when dealing with a vast array of equipment.

*this I know will not work but how can something similar work with an spath SPL statement?

| spath 
| search "WS-C2960S*" version!="15.2(2)E9" 
| spath 
| search "WS-C2960*" version="12.2(55)SE12" 
| dedup ip

Thank You

martinpu · ‎04-01-2019

Try using an OR clause in between:

 | spath 
 | search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
 | dedup ip

Spath should generate a field as well for that query, defining search based on field is much faster

View solution in original post

martinpu · ‎04-01-2019

Try using an OR clause in between:

 | spath 
 | search (generatedField="WS-C2960S" version!="15.2(2)E9") OR (generatedField="WS-C2960*" version="12.2(55)SE12")
 | dedup ip

Spath should generate a field as well for that query, defining search based on field is much faster

bzsplunk54 · ‎04-02-2019

thank you!

asoma0707 · ‎03-26-2020

Hi,
Can we use regular expression in search field after spath ? I am stuck in the similar kind of situation. I retrieved JSON object, after that I am looking for a particular string with different formats (alphaNumeric). Those are actually data anomalies.

Could you please provide your advise on how do we incorporate regex in search field ? I tried, but could not come to the solution.

How do you do a spath search that would search for multiple models with a variance of IOS levels?

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...