Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk - how to filter json search results

evanxu
Explorer
‎07-20-2020 07:01 AM

My splunk search returns one event as below: notice agent data is in a nested json format.  agentName and agentSwitch are nested fields within agent.  

testsplunk.JPG

I would like to filter within this result so that the output would only display 

agentName = "ether" and agentSwitchName="soul".   

 

I have tried to filter using spath and table but each time it would return ALL agentNames, how can i correctly filter the output?  

My search | spath | table environemnt, agent{}.agentName | search agent{}.agentName="ether"

Labels (1)
Labels
Tags (1)
0 Karma
Reply

to4kawa
Ultra Champion
‎07-20-2020 02:36 PM

My search | spath agent{} output=agent

| mvexpand agent | spath input=agent | search agentName="ether"

Reply

evanxu
Explorer
‎07-21-2020 07:42 PM

Hi @to4kawa , thank you, i have one more request, 
my search correctly returns agent ether, however, it also returns all agent switch names even though I specified agentSwitchName "soul".   I think this has to do with agentSwitchName being nested within agent.   Could you help ?

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"

 

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 02:38 AM

I don't know your log. I can't do that.

0 Karma
Reply

evanxu
Explorer
‎07-22-2020 05:07 AM

The json screenshot is the result of my search, it returns a single event with nested json.   I am attempting to reformat/filter the event output to show only agentName: ether and agentSwitchName: soul, preferably in a tabular format. 

testsplunk.JPG

mysearch |  spath agent{} output=agent | mvexpand agent | spath input=agent
| search agentName="ether" AND agentSwitchName="soul"  | table agentName, agentSwitchName

However instead of getting "soul" only, I am getting both "infinity" and "soul", so it looks like 

current.JPG

This is the output I really want: 

target.JPG

Thank you

0 Karma
Reply

to4kawa
Ultra Champion
‎07-22-2020 06:42 AM

you can do it, I can't do it by only sample pics.


0 Karma
Reply

spitchika
Path Finder
‎07-22-2020 08:07 AM
 
 
Hi, 

Best thing I do in this situation is changing log display format to "Raw" and capture correct left and right boundaries with rex command. (If require max_match option). Right now default json view would be "List" view.

spitchika_0-1595430181338.png

 

Reply

evanxu
Explorer
‎07-26-2020 07:07 PM

Thank you for the hint.    I tried to add the clause below and the data returned correctly.  

| rename data as _raw
| extract

0 Karma
Reply

spitchika
Path Finder
‎07-27-2020 07:47 AM 
Perfect!! Thank you.
0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...