I load JSON reports into Splunk and those reports have many arrays. When I search:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*"
I often like to show the matching data. I use table to do so:
source=test| search "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"="C:\\Windows*" | table "behavior.system.processes.process{}.fileactivities.fileCreated.call{}.path"
However, the issue is that this shows me all fileCreated of the matching event and not only the one starting with C:\Windows.
How do I filter that?
#joe-jeff
I posted answer on answers.splunk.com. Please check below link.
https://answers.splunk.com/answers/745093/only-select-matching-json-data.html
Related
I'm facing a problem in splunk like if i choose current session(2020) from filter then i should get the data of previous Session(2019).
I wrote a splunk query like :
index="entab_due" Session=2019 ClassName="* *"
| eval n=(tonumber(Session)-1)
| where totalBalance > 0 and Session = n
but i didn't get any result.
Problem : Get the data of previous session after selecting Session from filter
Please help me to get the solution.
If two different panels in your dashboard need different data then they probably should use different searches. Or use a base search that gathers the data needed for both and use post-processing to filter the data needed by each panel.
I want to print the value of a certain field from a set of events that results from running a particular search query. Here's my query:
index=abc "all events that contain this string" sourcetype=prd
Now, this returns certain events that contain a field called traceId. What I want is to extract unique traceIds from the result and print them. Here's the query that I am using currently, but to no avail:
index=abc "all events that contain this string" sourcetype=prd | rex field=_raw "traceId: (?<traceId>.*)"
This query prints all the fields in the event (events are printed as JSON docs.).
Can someone help me with this? I have never worked with Splunk before, so please go easy if the question looks a bit easy.
Thanks!
Answering this without some sample data is almost impossible... still, I think you are getting all data because:
you are not using the fields command to filter your fields of interest. It would go like so: `index=abc "all events that contain this string" sourcetype=prd | rex field=_raw "traceId: (?.*) | fields fiel1, field2, traceId"
your regular expression is greedy, which means traceId field will contain all text from that point to the end of the event. Try to be more specific i.e. \d+ for numeric data or even [^\s]+ for non-blanks.
~HTH
I'm trying to use Solr to re-rank document results based relevance to the user searching. For example, if I search joann*this could return documents where the Name field is anything from joanna to joanne. What I'm trying to do is to return documents that match on certain attributes that I have as well-- this could be something like us both having the field Location = "NYC".
So my question is two fold- is there a way to grab and handle a users information when they are making a query and also is there a way to re-rank based on these additional field values? Would this look more like writing some code or just an expanded query?
it looks to me like you are talking about functionality that Query Reranking exactly provides. Did you check that out?
I'm facing a very strange issue in my Splunk search. I have a data input coming from a REST API that returns a multi-level (nested) JSON response:
The entity node has several nodes, each node represents one access point. Each access point contains a field called ipAddress.
This API is being called every 5 min and response stored in Splunk. When I do a search to get the list of IP Addresses from one event I don't get all of them. For some reason, is like Splunk is reading only the first seven nodes inside entity, because when I do:
source="rest://AccessPointDetailsAPI" | head 1
Splunk shows only the following values on the field (7 values although there are around 27):
I'm using demo license if that matters. Why I cannot see all values ? If I change my search to look for a specific iPAddress on the response but not on the list it won't return records.
Thanks and regards,
I think I understand the problem now. So the event is a big json and Splunk is not properly parsing all fields on the big json.
We need to tell splunk to parse the specific field we need with spath and specifying the field:
yoursearch | spath output=myIpAddress path=queryResponse.entity{}.accessPointDetailsDTO.ipAddress | table myIpAddress
http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/Spath
But I think also is important to analyze if maybe the data input needs to be divided in multiple events rather than a single huge event.
I want to search in multiple fields in Solr.
(In know the concept of the copy-fields and I know the (e)dismax search handler.)
So I have an orderd list of fields, I want the terms to be searched against.
1.) SKU
2.) Name
3.) Description
4.) Summary
and so on.
Now, when the query matches a term, let's say in the SKU field, I want this match and no further searches in the proceeding fields.
Only, if there are NO matches at all in the first field (SKU field), the second field (in this case "name") should be used and so on.
Is this possible with Solr?
Do I have to implement my own Lucene Search Handler for this?
Any advice is welcome!
Thank you,
Bernhard
I think your case requires executing 4 different searches. If you implement you very own SearchHandler you could avoid penalty of search result accumulation in 4 different request. Which means, you would send one query, and custom SearchHandler would execute 4 searches and prepare one result set.
If my guess is right you want to rank the results based on the order of the fields. If so then you can just use standard query like
q=sku:(query)^4 OR name:(query)^3 OR description:(query)^2 OR summary:(query)
this will rank the results by the order of the fields.
Hope is helps.