splunk : json spath 提取
splunk : json spath extract
我有以下 json 格式的事件消息,需要提取 STATUS = Unavailable 的作业名称。
{"Failure":0,"Success":0,"In_Progress":0,"Others":1,"detail":[{"jobA":{"STATUS":"Unavailable"}}]}
{"Failure":0,"Success":1,"In_Progress":0,"Others":1,"detail":[{"jobA":{"STATUS":"SUCCESS","Run":435988393},"jobB":{"STATUS":"Unavailable"}}]}
有什么建议可以用 spath 实现吗?我怀疑因为像 0,1 这样的值没有引号,所以我的 spath 搜索失败了
Expected output :
jobA
jobB
spath 对我来说很好用。问题是 spath 会产生像“detail{}.jobA.STATUS”这样的字段,这些字段很难处理。一种解决方法是使用 spath 提取 JSON 元素,然后使用 rex 解析详细信息。这是一个 run-anywhere 示例:
| makeresults | eval data="{\"Failure\":0,\"Success\":0,\"In_Progress\":0,\"Others\":1,\"detail\":[{\"jobA\":{\"STATUS\":\"Unavailable\"}}]}
{\"Failure\":0,\"Success\":1,\"In_Progress\":0,\"Others\":1,\"detail\":[{\"jobA\":{\"STATUS\":\"SUCCESS\",\"Run\":435988393},\"jobB\":{\"STATUS\":\"Unavailable\"}}]}" | eval data=split(data,"
") | mvexpand data | eval _raw=data
```Above just creates test data. Omit IRL```
```Get the detail element from the events```
| spath path=detail{}
```Parse the details```
| spath input="detail{}"
```Parse the job and status fields as a unit. We may have more than one.```
| rex field="detail{}" max_match=0 "(?<jobStatus>[^\\"]+\\":\{\\"STATUS\\":\\"[^\\"]+)"
```Create a separate event for each match```
| mvexpand jobStatus
```Parse the job and status values from each match```
| rex field=jobStatus "(?<Job>[^\\"]+)\\":\{\\"STATUS\\":\\"(?<Status>[^\\"]+)"
```Filter for unavailable jobs```
| where Status="Unavailable"
| table Job
我有以下 json 格式的事件消息,需要提取 STATUS = Unavailable 的作业名称。
{"Failure":0,"Success":0,"In_Progress":0,"Others":1,"detail":[{"jobA":{"STATUS":"Unavailable"}}]}
{"Failure":0,"Success":1,"In_Progress":0,"Others":1,"detail":[{"jobA":{"STATUS":"SUCCESS","Run":435988393},"jobB":{"STATUS":"Unavailable"}}]}
有什么建议可以用 spath 实现吗?我怀疑因为像 0,1 这样的值没有引号,所以我的 spath 搜索失败了
Expected output :
jobA
jobB
spath 对我来说很好用。问题是 spath 会产生像“detail{}.jobA.STATUS”这样的字段,这些字段很难处理。一种解决方法是使用 spath 提取 JSON 元素,然后使用 rex 解析详细信息。这是一个 run-anywhere 示例:
| makeresults | eval data="{\"Failure\":0,\"Success\":0,\"In_Progress\":0,\"Others\":1,\"detail\":[{\"jobA\":{\"STATUS\":\"Unavailable\"}}]}
{\"Failure\":0,\"Success\":1,\"In_Progress\":0,\"Others\":1,\"detail\":[{\"jobA\":{\"STATUS\":\"SUCCESS\",\"Run\":435988393},\"jobB\":{\"STATUS\":\"Unavailable\"}}]}" | eval data=split(data,"
") | mvexpand data | eval _raw=data
```Above just creates test data. Omit IRL```
```Get the detail element from the events```
| spath path=detail{}
```Parse the details```
| spath input="detail{}"
```Parse the job and status fields as a unit. We may have more than one.```
| rex field="detail{}" max_match=0 "(?<jobStatus>[^\\"]+\\":\{\\"STATUS\\":\\"[^\\"]+)"
```Create a separate event for each match```
| mvexpand jobStatus
```Parse the job and status values from each match```
| rex field=jobStatus "(?<Job>[^\\"]+)\\":\{\\"STATUS\\":\\"(?<Status>[^\\"]+)"
```Filter for unavailable jobs```
| where Status="Unavailable"
| table Job