Re: How to get the search report of a value?

runiyal · ‎02-23-2023

In the log there are events like -

{"submitterType":"Others","SubID":"App_4-45887-02232023"}

{"submitterType":"Others","SubID":"App_5-45892-02232023"}

I want a report showing -

App_4-45887-02232023

App_5-45892-02232023

Thanks!

yuanliu · ‎02-25-2023

You didn't explain why Splunk does not give you SubID automatically. The illustrated logs are conformant JSON. If they are the raw events, there should be no reason that you don't have both fields submitterType and SubID.

If the illustrated log is one of fields that Splunk extracts for you, say "log", spath is the command to extract JSON nodes.

| spath input=log

Your sample data will give

SubID	submitterType
App_4-45887-02232023	Others
App_5-45892-02232023	Others

bowesmana · ‎02-23-2023

You don't say much about what you need other than the results of that field, so in its basic form, you need to extract that SubID field if it's not already extracted and then do

your_search...
| table SubID

If your data is JSON then SubID should be extracted

If you want to count the occurrrences of each SubID, then do

your_search...
| stats count by SubID

runiyal · ‎02-24-2023

Just trying to extract the field.

How to get the search report of a value?

subsearch

Modern way of developing distributed application using OTel

Enterprise Security Content Update (ESCU) | New Releases

Archived Metrics Now Available for APAC and EMEA realms