Json Question posted in
Our archive of expertly curated questions and answers provides insights and solutions to common problems related to this popular data interchange format. From parsing and manipulating JSON data to integrating it with various programming languages and web services, our archive has got you covered. Start exploring today and take your JSON skills to the next level

Json – Combine paths to one output in Splunk

I have an issue with paths in my Splunk search. I am searching through JSON data where certains paths can have capitals, but also for a certain flow don’t have capitals. The fields are exactly the same, but the capitals of the fieldnames are the difference. How can I combine the paths (because as far as I know the paths are treated as two different paths by Splunk) to get one output and combine them in the count?

index="x" 
| spath MessageTemplate | search MessageTemplate="Input Message: {Body}"
| spath input="Properties.Body"
| spath input="Properties.Body" path="voormelden{}.colloData{}.voormeldBronCd.code" output=VoormeldBronCode
| spath input="Properties.Body" path="voormelden{}.ColloData{}.VoormeldBronCd.Code"
output=VoormeldBronCode
| stats count by VoormeldBronCode

As you can see the paths for the body can be with capitals or with camelcase and I want to combine those in one output, so the count takes both of the versions (obviously this example doesn’t work).

Tags:

2

Answers


  1. 0

    I think you may need to normalize the data in one of two ways: change the field(s) of interest to always have the same name; or change all of MessageTemplate to lower case.

    index="x" 
| spath MessageTemplate | search MessageTemplate="Input Message: {Body}"
| eval MessageTemplate=lower(MessageTemplate)
| spath input="Properties.Body"
| spath input="Properties.Body" path="voormelden{}.colloData{}.voormeldBronCd.code" output=VoormeldBronCode
| stats count by VoormeldBronCode

    or

    index="x" 
| spath MessageTemplate | search MessageTemplate="Input Message: {Body}"
| rex mode=sed field=MessageTemplate "s/\"code\"/\"Code\"/g"
| spath input="Properties.Body"
| spath input="Properties.Body" path="voormelden{}.ColloData{}.VoormeldBronCd.Code"
output=VoormeldBronCode
| stats count by VoormeldBronCode
    Login or Signup to reply.
  2. 0

    Try this run-anywhere SPL, making use of coalesce:

    | makeresults count=10
```create mockdata```
| streamstats count
| eval
test=if(count%2=0,"test",null()),
Test=if(count%2=1,"testi",null())
| makejson * output=data
| table data
| eval data=replace(data,", "[tT]est": ""","")
```end mock-data```
```extract both fields```
| spath input=data path=Test output=Test
| spath input=data path=test output=test
```use coalesce to normalize```
| eval tTest=coalesce(test,Test)
| stats count by tTest
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search