I have some json events which look similar to the example below. Key to my question is the events[] array which contains a number of things of interest.
I can summarise all data neatly using filters such as | top events{}.command but I'd like to be able to do statistics and time graphing on only those events where type="request" . I have looked at spath and I'm uncertain it is what I need, but I am happy to be corrected.
How can I select only the request events and do further processing on them?
An example of the json (this is interpreted fine by Splunk and it parses out the fields correctly):
{[-]
id : "guidguidguid",
events : [
{[-]
type : "request",
command : "jump",
args : "10",
... more ...
},
{[-]
type : "response",
command : "wobble",
args : "20",
... more ...
}
{[-]
type : "response",
command : "run",
args : "10",
... more ...
}
... more ...
],
.. other key-value pairs and arrays ..
}
There may be multiple request/response sections per Splunk event, or there might just be requests or just responses.
... View more