Anuja Barve
Reputation: 320
Reading a field from a JSON log in Splunk using SPATH
I am trying to read an attribute from a Splunk log that looks like this
context=context{version="1.1.2", id="123", userId=""}
I need to get count by version
My Splunk query :
index="$index" "$filterString" | spath input=context output=versionId path=version | stats count by versionId
The value of version is not being read correctly. Is the spath correct here?
Upvotes: 1
Views: 1745
Answers (1)
RichG
Reputation: 9916
spath is the right command, but it only works with valid JSON strings. The given string is considered invalid by jsonlint.com.
Here is a workaround that uses rex to extract the version ID.
index="$index" "$filterString"
| rex field=context "version=\\\"(?<versionId>[^\\\"]+)"
| stats count by versionId
Upvotes: 3
Related Questions
- How to build a Splunk query that extracts data from a JSON array?
- splunk : json spath extract
- How to extract fields from an escaped JSON(nested) in splunk?
- Splunk : Spath searching the JSON array
- Extract some fields from a part json part text log in Splunk
- How to extract Key Value fields from Json string in Splunk
- How to extract fields from JSON string in Splunk
- Querying about field with JSON type value
- Extracting values from json in Splunk using spath
- Unable to extract JSON fields in Splunk